Series comparison

-[PULL 00/45] target-arm queue
+[PULL 00/28] target-arm queue
-I don't have anything else queued up at the moment, so this is just
+Hi; this is the latest target-arm queue; most of this is a refactoring
-Richard's SME patches.
+patchset from RTH for the arm page-table-walk emulation.
+thanks
 -- PMM
-The following changes since commit 63b38f6c85acd312c2cab68554abf33adf4ee2b3:
+The following changes since commit f1d33f55c47dfdaf8daacd618588ad3ae4c452d1:
-  Merge tag 'pull-target-arm-20220707' of https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-07-08 06:17:11 +0530)
+  Merge tag 'pull-testing-gdbstub-plugins-gitdm-061022-3' of https://github.com/stsquad/qemu into staging (2022-10-06 07:11:56 -0400)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220711
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221010
-for you to fetch changes up to f9982ceaf26df27d15547a3a7990a95019e9e3a8:
+for you to fetch changes up to 915f62844cf62e428c7c178149b5ff1cbe129b07:
-  linux-user/aarch64: Add SME related hwcap entries (2022-07-11 13:43:52 +0100)
+  docs/system/arm/emulation.rst: Report FEAT_GTG support (2022-10-10 14:52:25 +0100)
 ----------------------------------------------------------------
-target-arm:
+target-arm queue:
- * Implement SME emulation, for both system and linux-user
+ * Retry KVM_CREATE_VM call if it fails EINTR
  * allow setting SCR_EL3.EnTP2 when FEAT_SME is implemented
  * docs/nuvoton: Update URL for images
  * refactoring of page table walk code
  * hw/arm/boot: set CPTR_EL3.ESM and SCR_EL3.EnTP2 when booting Linux with EL3
  * Don't allow guest to use unimplemented granule sizes
  * Report FEAT_GTG support
 ----------------------------------------------------------------
-Richard Henderson (45):
+Jerome Forissier (2):
-      target/arm: Handle SME in aarch64_cpu_dump_state
+      target/arm: allow setting SCR_EL3.EnTP2 when FEAT_SME is implemented
-      target/arm: Add infrastructure for disas_sme
+      hw/arm/boot: set CPTR_EL3.ESM and SCR_EL3.EnTP2 when booting Linux with EL3
       target/arm: Trap non-streaming usage when Streaming SVE is active
       target/arm: Mark ADR as non-streaming
       target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
       target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
       target/arm: Mark PMULL, FMMLA as non-streaming
       target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
       target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
       target/arm: Mark string/histo/crypto as non-streaming
       target/arm: Mark gather/scatter load/store as non-streaming
       target/arm: Mark gather prefetch as non-streaming
       target/arm: Mark LDFF1 and LDNF1 as non-streaming
       target/arm: Mark LD1RO as non-streaming
       target/arm: Add SME enablement checks
       target/arm: Handle SME in sve_access_check
       target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
       target/arm: Implement SME ZERO
       target/arm: Implement SME MOVA
       target/arm: Implement SME LD1, ST1
       target/arm: Export unpredicated ld/st from translate-sve.c
       target/arm: Implement SME LDR, STR
       target/arm: Implement SME ADDHA, ADDVA
       target/arm: Implement FMOPA, FMOPS (non-widening)
       target/arm: Implement BFMOPA, BFMOPS
       target/arm: Implement FMOPA, FMOPS (widening)
       target/arm: Implement SME integer outer product
       target/arm: Implement PSEL
       target/arm: Implement REVD
       target/arm: Implement SCLAMP, UCLAMP
       target/arm: Reset streaming sve state on exception boundaries
       target/arm: Enable SME for -cpu max
       linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
       linux-user/aarch64: Reset PSTATE.SM on syscalls
       linux-user/aarch64: Add SM bit to SVE signal context
       linux-user/aarch64: Tidy target_restore_sigframe error return
       linux-user/aarch64: Do not allow duplicate or short sve records
       linux-user/aarch64: Verify extra record lock succeeded
       linux-user/aarch64: Move sve record checks into restore
       linux-user/aarch64: Implement SME signal handling
       linux-user: Rename sve prctls
       linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
       target/arm: Only set ZEN in reset if SVE present
       target/arm: Enable SME for user-only
       linux-user/aarch64: Add SME related hwcap entries
- docs/system/arm/emulation.rst     |    4 +
+Joel Stanley (1):
- linux-user/aarch64/target_cpu.h   |    5 +-
+      docs/nuvoton: Update URL for images
- linux-user/aarch64/target_prctl.h |   62 +-
- target/arm/cpu.h                  |    7 +
+Peter Maydell (4):
- target/arm/helper-sme.h           |  126 ++++
+      target/arm/kvm: Retry KVM_CREATE_VM call if it fails EINTR
- target/arm/helper-sve.h           |    4 +
+      target/arm: Don't allow guest to use unimplemented granule sizes
- target/arm/helper.h               |   18 +
+      target/arm: Use ARMGranuleSize in ARMVAParameters
- target/arm/translate-a64.h        |   45 ++
+      docs/system/arm/emulation.rst: Report FEAT_GTG support
- target/arm/translate.h            |   16 +
- target/arm/sme-fa64.decode        |   60 ++
+Richard Henderson (21):
- target/arm/sme.decode             |   88 +++
+      target/arm: Split s2walk_secure from ipa_secure in get_phys_addr
- target/arm/sve.decode             |   41 +-
+      target/arm: Make the final stage1+2 write to secure be unconditional
- linux-user/aarch64/cpu_loop.c     |    9 +
+      target/arm: Add is_secure parameter to get_phys_addr_lpae
- linux-user/aarch64/signal.c       |  243 ++++++--
+      target/arm: Fix S2 disabled check in S1_ptw_translate
- linux-user/elfload.c              |   20 +
+      target/arm: Add is_secure parameter to regime_translation_disabled
- linux-user/syscall.c              |   28 +-
+      target/arm: Split out get_phys_addr_with_secure
- target/arm/cpu.c                  |   35 +-
+      target/arm: Add is_secure parameter to v7m_read_half_insn
- target/arm/cpu64.c                |   11 +
+      target/arm: Add TBFLAG_M32.SECURE
- target/arm/helper.c               |   56 +-
+      target/arm: Merge regime_is_secure into get_phys_addr
- target/arm/sme_helper.c           | 1140 +++++++++++++++++++++++++++++++++++++
+      target/arm: Add is_secure parameter to do_ats_write
- target/arm/sve_helper.c           |   28 +
+      target/arm: Fold secure and non-secure a-profile mmu indexes
- target/arm/translate-a64.c        |  103 +++-
+      target/arm: Reorg regime_translation_disabled
- target/arm/translate-sme.c        |  373 ++++++++++++
+      target/arm: Drop secure check for HCR.TGE vs SCTLR_EL1.M
- target/arm/translate-sve.c        |  393 ++++++++++---
+      target/arm: Introduce arm_hcr_el2_eff_secstate
- target/arm/translate-vfp.c        |   12 +
+      target/arm: Hoist read of *is_secure in S1_ptw_translate
- target/arm/translate.c            |    2 +
+      target/arm: Remove env argument from combined_attrs_fwb
- target/arm/vec_helper.c           |   24 +
+      target/arm: Pass HCR to attribute subroutines.
- target/arm/meson.build            |    3 +
+      target/arm: Fix ATS12NSO* from S PL1
-files changed, 2821 insertions(+), 135 deletions(-)
+      target/arm: Split out get_phys_addr_disabled
- create mode 100644 target/arm/sme-fa64.decode
+      target/arm: Fix cacheattr in get_phys_addr_disabled
- create mode 100644 target/arm/sme.decode
+      target/arm: Use tlb_set_page_full
- create mode 100644 target/arm/translate-sme.c
  docs/system/arm/emulation.rst |   1 +
  docs/system/arm/nuvoton.rst   |   4 +-
  target/arm/cpu-param.h        |   2 +-
  target/arm/cpu.h              | 181 ++++++++------
  target/arm/internals.h        | 150 ++++++-----
  hw/arm/boot.c                 |   4 +
  target/arm/helper.c           | 332 ++++++++++++++----------
  target/arm/kvm.c              |   4 +-
  target/arm/m_helper.c         |  29 ++-
  target/arm/ptw.c              | 570 ++++++++++++++++++++++--------------------
  target/arm/tlb_helper.c       |   9 +-
  target/arm/translate-a64.c    |   8 -
  target/arm/translate.c        |   9 +-
 files changed, 717 insertions(+), 586 deletions(-)

-[PULL 01/45] target/arm: Handle SME in aarch64_cpu_dump_state
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Dump SVCR, plus use the correct access check for Streaming Mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-2-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.c | 17 ++++++++++++++++-
-file changed, 16 insertions(+), 1 deletion(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-     int i;
-     int el = arm_current_el(env);
-     const char *ns_status;
-+    bool sve;
-     qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
-     for (i = 0; i < 32; i++) {
-@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-                  el,
-                  psr & PSTATE_SP ? 'h' : 't');
-+    if (cpu_isar_feature(aa64_sme, cpu)) {
-+        qemu_fprintf(f, "  SVCR=%08" PRIx64 " %c%c",
-+                     env->svcr,
-+                     (FIELD_EX64(env->svcr, SVCR, ZA) ? 'Z' : '-'),
-+                     (FIELD_EX64(env->svcr, SVCR, SM) ? 'S' : '-'));
-+    }
-     if (cpu_isar_feature(aa64_bti, cpu)) {
-         qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
-     }
-@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-     qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
-                  vfp_get_fpcr(env), vfp_get_fpsr(env));
--    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
-+    if (cpu_isar_feature(aa64_sme, cpu) && FIELD_EX64(env->svcr, SVCR, SM)) {
-+        sve = sme_exception_el(env, el) == 0;
-+    } else if (cpu_isar_feature(aa64_sve, cpu)) {
-+        sve = sve_exception_el(env, el) == 0;
-+    } else {
-+        sve = false;
-+    }
-+
-+    if (sve) {
-         int j, zcr_len = sve_vqm1_for_el(env, el);
-         for (i = 0; i <= FFR_PRED_NUM; i++) {
---
-.25.1

-[PULL 45/45] linux-user/aarch64: Add SME related hwcap entries
+[PULL 01/28] target/arm/kvm: Retry KVM_CREATE_VM call if it fails EINTR
-From: Richard Henderson <richard.henderson@linaro.org>
+Occasionally the KVM_CREATE_VM ioctl can return EINTR, even though
 there is no pending signal to be taken. In commit 94ccff13382055
 we added a retry-on-EINTR loop to the KVM_CREATE_VM call in the
 generic KVM code. Adopt the same approach for the use of the
 ioctl in the Arm-specific KVM code (where we use it to create a
 scratch VM for probing for various things).
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+For more information, see the mailing list thread:
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+https://lore.kernel.org/qemu-devel/8735e0s1zw.wl-maz@kernel.org/
-Message-id: 20220708151540.18136-46-richard.henderson@linaro.org
 Reported-by: Vitaly Chikunov <vt@altlinux.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Message-id: 20220930113824.1933293-1-peter.maydell@linaro.org
 ---
- linux-user/elfload.c | 20 ++++++++++++++++++++
+ target/arm/kvm.c | 4 +++-
-file changed, 20 insertions(+)
+file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/linux-user/elfload.c b/linux-user/elfload.c
+diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/elfload.c
+--- a/target/arm/kvm.c
-+++ b/linux-user/elfload.c
++++ b/target/arm/kvm.c
-@@ -XXX,XX +XXX,XX @@ enum {
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
-     ARM_HWCAP2_A64_RNG          = 1 << 16,
+     if (max_vm_pa_size < 0) {
-     ARM_HWCAP2_A64_BTI          = 1 << 17,
+         max_vm_pa_size = 0;
-     ARM_HWCAP2_A64_MTE          = 1 << 18,
+     }
-+    ARM_HWCAP2_A64_ECV          = 1 << 19,
+-    vmfd = ioctl(kvmfd, KVM_CREATE_VM, max_vm_pa_size);
-+    ARM_HWCAP2_A64_AFP          = 1 << 20,
++    do {
-+    ARM_HWCAP2_A64_RPRES        = 1 << 21,
++        vmfd = ioctl(kvmfd, KVM_CREATE_VM, max_vm_pa_size);
-+    ARM_HWCAP2_A64_MTE3         = 1 << 22,
++    } while (vmfd == -1 && errno == EINTR);
-+    ARM_HWCAP2_A64_SME          = 1 << 23,
+     if (vmfd < 0) {
-+    ARM_HWCAP2_A64_SME_I16I64   = 1 << 24,
+         goto err;
-+    ARM_HWCAP2_A64_SME_F64F64   = 1 << 25,
+     }
 +    ARM_HWCAP2_A64_SME_I8I32    = 1 << 26,
 +    ARM_HWCAP2_A64_SME_F16F32   = 1 << 27,
 +    ARM_HWCAP2_A64_SME_B16F32   = 1 << 28,
 +    ARM_HWCAP2_A64_SME_F32F32   = 1 << 29,
 +    ARM_HWCAP2_A64_SME_FA64     = 1 << 30,
  };
  #define ELF_HWCAP   get_elf_hwcap()
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap2(void)
      GET_FEATURE_ID(aa64_rndr, ARM_HWCAP2_A64_RNG);
      GET_FEATURE_ID(aa64_bti, ARM_HWCAP2_A64_BTI);
      GET_FEATURE_ID(aa64_mte, ARM_HWCAP2_A64_MTE);
 +    GET_FEATURE_ID(aa64_sme, (ARM_HWCAP2_A64_SME |
 +                              ARM_HWCAP2_A64_SME_F32F32 |
 +                              ARM_HWCAP2_A64_SME_B16F32 |
 +                              ARM_HWCAP2_A64_SME_F16F32 |
 +                              ARM_HWCAP2_A64_SME_I8I32));
 +    GET_FEATURE_ID(aa64_sme_f64f64, ARM_HWCAP2_A64_SME_F64F64);
 +    GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
 +    GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
      return hwcaps;
  }
 --
 .25.1

-[PULL 44/45] target/arm: Enable SME for user-only
+[PULL 02/28] target/arm: allow setting SCR_EL3.EnTP2 when FEAT_SME is implemented
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Jerome Forissier <jerome.forissier@linaro.org>
-Enable SME, TPIDR2_EL0, and FA64 if supported by the cpu.
+Updates write_scr() to allow setting SCR_EL3.EnTP2 when FEAT_SME is
 implemented. SCR_EL3 being a 64-bit register, valid_mask is changed
 to uint64_t and the SCR_* constants in target/arm/cpu.h are extended
 to 64-bit so that masking and bitwise not (~) behave as expected.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+This enables booting Linux with Trusted Firmware-A at EL3 with
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+"-M virt,secure=on -cpu max".
-Message-id: 20220708151540.18136-45-richard.henderson@linaro.org
 Cc: qemu-stable@nongnu.org
 Fixes: 78cb9776662a ("target/arm: Enable SME for -cpu max")
 Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
 Reviewed-by: Andre Przywara <andre.przywara@arm.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20221004072354.27037-1-jerome.forissier@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c | 11 +++++++++++
+ target/arm/cpu.h    | 54 ++++++++++++++++++++++-----------------------
-file changed, 11 insertions(+)
+ target/arm/helper.c |  5 ++++-
 files changed, 31 insertions(+), 28 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/target/arm/cpu.h
-+++ b/target/arm/cpu.c
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
+@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
-                                              CPACR_EL1, ZEN, 3);
-             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
+ #define HPFAR_NS      (1ULL << 63)
 -#define SCR_NS                (1U << 0)
 -#define SCR_IRQ               (1U << 1)
 -#define SCR_FIQ               (1U << 2)
 -#define SCR_EA                (1U << 3)
 -#define SCR_FW                (1U << 4)
 -#define SCR_AW                (1U << 5)
 -#define SCR_NET               (1U << 6)
 -#define SCR_SMD               (1U << 7)
 -#define SCR_HCE               (1U << 8)
 -#define SCR_SIF               (1U << 9)
 -#define SCR_RW                (1U << 10)
 -#define SCR_ST                (1U << 11)
 -#define SCR_TWI               (1U << 12)
 -#define SCR_TWE               (1U << 13)
 -#define SCR_TLOR              (1U << 14)
 -#define SCR_TERR              (1U << 15)
 -#define SCR_APK               (1U << 16)
 -#define SCR_API               (1U << 17)
 -#define SCR_EEL2              (1U << 18)
 -#define SCR_EASE              (1U << 19)
 -#define SCR_NMEA              (1U << 20)
 -#define SCR_FIEN              (1U << 21)
 -#define SCR_ENSCXT            (1U << 25)
 -#define SCR_ATA               (1U << 26)
 -#define SCR_FGTEN             (1U << 27)
 -#define SCR_ECVEN             (1U << 28)
 -#define SCR_TWEDEN            (1U << 29)
 +#define SCR_NS                (1ULL << 0)
 +#define SCR_IRQ               (1ULL << 1)
 +#define SCR_FIQ               (1ULL << 2)
 +#define SCR_EA                (1ULL << 3)
 +#define SCR_FW                (1ULL << 4)
 +#define SCR_AW                (1ULL << 5)
 +#define SCR_NET               (1ULL << 6)
 +#define SCR_SMD               (1ULL << 7)
 +#define SCR_HCE               (1ULL << 8)
 +#define SCR_SIF               (1ULL << 9)
 +#define SCR_RW                (1ULL << 10)
 +#define SCR_ST                (1ULL << 11)
 +#define SCR_TWI               (1ULL << 12)
 +#define SCR_TWE               (1ULL << 13)
 +#define SCR_TLOR              (1ULL << 14)
 +#define SCR_TERR              (1ULL << 15)
 +#define SCR_APK               (1ULL << 16)
 +#define SCR_API               (1ULL << 17)
 +#define SCR_EEL2              (1ULL << 18)
 +#define SCR_EASE              (1ULL << 19)
 +#define SCR_NMEA              (1ULL << 20)
 +#define SCR_FIEN              (1ULL << 21)
 +#define SCR_ENSCXT            (1ULL << 25)
 +#define SCR_ATA               (1ULL << 26)
 +#define SCR_FGTEN             (1ULL << 27)
 +#define SCR_ECVEN             (1ULL << 28)
 +#define SCR_TWEDEN            (1ULL << 29)
  #define SCR_TWEDEL            MAKE_64BIT_MASK(30, 4)
  #define SCR_TME               (1ULL << 34)
  #define SCR_AMVOFFEN          (1ULL << 35)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
  static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
  {
      /* Begin with base v8.0 state.  */
 -    uint32_t valid_mask = 0x3fff;
 +    uint64_t valid_mask = 0x3fff;
      ARMCPU *cpu = env_archcpu(env);
      /*
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
          if (cpu_isar_feature(aa64_doublefault, cpu)) {
              valid_mask |= SCR_EASE | SCR_NMEA;
          }
-+        /* and for SME instructions, with default vector length, and TPIDR2 */
 +        if (cpu_isar_feature(aa64_sme, cpu)) {
-+            env->cp15.sctlr_el[1] |= SCTLR_EnTP2;
++            valid_mask |= SCR_ENTP2;
 +            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
 +                                             CPACR_EL1, SMEN, 3);
 +            env->vfp.smcr_el[1] = cpu->sme_default_vq - 1;
 +            if (cpu_isar_feature(aa64_sme_fa64, cpu)) {
 +                env->vfp.smcr_el[1] = FIELD_DP64(env->vfp.smcr_el[1],
 +                                                 SMCR, FA64, 1);
 +            }
 +        }
-         /*
+     } else {
-          * Enable 48-bit address space (TODO: take reserved_va into account).
+         valid_mask &= ~(SCR_RW | SCR_ST);
-          * Enable TBI0 but not TBI1.
+         if (cpu_isar_feature(aa32_ras, cpu)) {
 --
 .25.1

-[PULL 43/45] target/arm: Only set ZEN in reset if SVE present
+[PULL 03/28] docs/nuvoton: Update URL for images
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Joel Stanley <joel@jms.id.au>
-There's no reason to set CPACR_EL1.ZEN if SVE disabled.
+openpower.xyz was retired some time ago. The OpenBMC Jenkins is where
 images can be found these days.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Hao Wu <wuhaotsh@google.com>
-Message-id: 20220708151540.18136-44-richard.henderson@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20221004050042.22681-1-joel@jms.id.au
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c | 7 +++----
+ docs/system/arm/nuvoton.rst | 4 ++--
-file changed, 3 insertions(+), 4 deletions(-)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/docs/system/arm/nuvoton.rst b/docs/system/arm/nuvoton.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/docs/system/arm/nuvoton.rst
-+++ b/target/arm/cpu.c
++++ b/docs/system/arm/nuvoton.rst
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
+@@ -XXX,XX +XXX,XX @@ Boot options
-         /* and to the FP/Neon instructions */
-         env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+ The Nuvoton machines can boot from an OpenBMC firmware image, or directly into
-                                          CPACR_EL1, FPEN, 3);
+ a kernel using the ``-kernel`` option. OpenBMC images for ``quanta-gsj`` and
--        /* and to the SVE instructions */
+-possibly others can be downloaded from the OpenPOWER jenkins :
--        env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
++possibly others can be downloaded from the OpenBMC jenkins :
--                                         CPACR_EL1, ZEN, 3);
--        /* with reasonable vector length */
+-   https://openpower.xyz/
-+        /* and to the SVE instructions, with default vector length */
++   https://jenkins.openbmc.org/
-         if (cpu_isar_feature(aa64_sve, cpu)) {
-+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+ The firmware image should be attached as an MTD drive. Example :
-+                                             CPACR_EL1, ZEN, 3);
              env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
          }
          /*
 --
 .25.1

-[PULL 42/45] linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
+[PULL 04/28] target/arm: Split s2walk_secure from ipa_secure in get_phys_addr
 From: Richard Henderson <richard.henderson@linaro.org>
-These prctl set the Streaming SVE vector length, which may
+The starting security state comes with the translation regime,
-be completely different from the Normal SVE vector length.
+not the current state of arm_is_secure_below_el3().
+Create a new local variable, s2walk_secure, which does not need
+to be written back to result->attrs.secure -- we compute that
+value later, after the S2 walk is complete.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221001162318.153420-2-richard.henderson@linaro.org
 Message-id: 20220708151540.18136-43-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/target_prctl.h | 54 +++++++++++++++++++++++++++++++
+ target/arm/ptw.c | 18 +++++++++---------
- linux-user/syscall.c              | 16 +++++++++
+file changed, 9 insertions(+), 9 deletions(-)
 files changed, 70 insertions(+)
-diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/target_prctl.h
+--- a/target/arm/ptw.c
-+++ b/linux-user/aarch64/target_prctl.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_get_vl(CPUArchState *env)
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
- {
+             hwaddr ipa;
-     ARMCPU *cpu = env_archcpu(env);
+             int s1_prot;
-     if (cpu_isar_feature(aa64_sve, cpu)) {
+             int ret;
-+        /* PSTATE.SM is always unset on syscall entry. */
+-            bool ipa_secure;
-         return sve_vq(env) * 16;
++            bool ipa_secure, s2walk_secure;
-     }
+             ARMCacheAttrs cacheattrs1;
-     return -TARGET_EINVAL;
+             ARMMMUIdx s2_mmu_idx;
-@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
+             bool is_el0;
-         && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
-         uint32_t vq, old_vq;
+             ipa = result->phys;
-+        /* PSTATE.SM is always unset on syscall entry. */
+             ipa_secure = result->attrs.secure;
-         old_vq = sve_vq(env);
+-            if (arm_is_secure_below_el3(env)) {
+-                if (ipa_secure) {
-         /*
+-                    result->attrs.secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
-@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
+-                } else {
- }
+-                    result->attrs.secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
- #define do_prctl_sve_set_vl do_prctl_sve_set_vl
+-                }
++            if (is_secure) {
-+static abi_long do_prctl_sme_get_vl(CPUArchState *env)
++                /* Select TCR based on the NS bit from the S1 walk. */
-+{
++                s2walk_secure = !(ipa_secure
-+    ARMCPU *cpu = env_archcpu(env);
++                                  ? env->cp15.vstcr_el2 & VSTCR_SW
-+    if (cpu_isar_feature(aa64_sme, cpu)) {
++                                  : env->cp15.vtcr_el2 & VTCR_NSW);
-+        return sme_vq(env) * 16;
+             } else {
-+    }
+                 assert(!ipa_secure);
-+    return -TARGET_EINVAL;
++                s2walk_secure = false;
-+}
+             }
-+#define do_prctl_sme_get_vl do_prctl_sme_get_vl
-+
+-            s2_mmu_idx = (result->attrs.secure
-+static abi_long do_prctl_sme_set_vl(CPUArchState *env, abi_long arg2)
++            s2_mmu_idx = (s2walk_secure
-+{
+                           ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2);
-+    /*
+             is_el0 = mmu_idx == ARMMMUIdx_E10_0 || mmu_idx == ARMMMUIdx_SE10_0;
-+     * We cannot support either PR_SME_SET_VL_ONEXEC or PR_SME_VL_INHERIT.
-+     * Note the kernel definition of sve_vl_valid allows for VQ=512,
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
-+     * i.e. VL=8192, even though the architectural maximum is VQ=16.
+                                                     result->cacheattrs);
-+     */
-+    if (cpu_isar_feature(aa64_sme, env_archcpu(env))
+             /* Check if IPA translates to secure or non-secure PA space. */
-+        && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
+-            if (arm_is_secure_below_el3(env)) {
-+        int vq, old_vq;
++            if (is_secure) {
-+
+                 if (ipa_secure) {
-+        old_vq = sme_vq(env);
+                     result->attrs.secure =
-+
+                         !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW));
 +        /*
 +         * Bound the value of vq, so that we know that it fits into
 +         * the 4-bit field in SMCR_EL1.  Because PSTATE.SM is cleared
 +         * on syscall entry, we are not modifying the current SVE
 +         * vector length.
 +         */
 +        vq = MAX(arg2 / 16, 1);
 +        vq = MIN(vq, 16);
 +        env->vfp.smcr_el[1] =
 +            FIELD_DP64(env->vfp.smcr_el[1], SMCR, LEN, vq - 1);
 +
 +        /* Delay rebuilding hflags until we know if ZA must change. */
 +        vq = sve_vqm1_for_el_sm(env, 0, true) + 1;
 +
 +        if (vq != old_vq) {
 +            /*
 +             * PSTATE.ZA state is cleared on any change to SVL.
 +             * We need not call arm_rebuild_hflags because PSTATE.SM was
 +             * cleared on syscall entry, so this hasn't changed VL.
 +             */
 +            env->svcr = FIELD_DP64(env->svcr, SVCR, ZA, 0);
 +            arm_rebuild_hflags(env);
 +        }
 +        return vq * 16;
 +    }
 +    return -TARGET_EINVAL;
 +}
 +#define do_prctl_sme_set_vl do_prctl_sme_set_vl
 +
  static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
  {
      ARMCPU *cpu = env_archcpu(env);
 diff --git a/linux-user/syscall.c b/linux-user/syscall.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/syscall.c
 +++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr)
  #ifndef PR_SET_SYSCALL_USER_DISPATCH
  # define PR_SET_SYSCALL_USER_DISPATCH 59
  #endif
 +#ifndef PR_SME_SET_VL
 +# define PR_SME_SET_VL  63
 +# define PR_SME_GET_VL  64
 +# define PR_SME_VL_LEN_MASK  0xffff
 +# define PR_SME_VL_INHERIT   (1 << 17)
 +#endif
  #include "target_prctl.h"
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
  #ifndef do_prctl_set_unalign
  #define do_prctl_set_unalign do_prctl_inval1
  #endif
 +#ifndef do_prctl_sme_get_vl
 +#define do_prctl_sme_get_vl do_prctl_inval0
 +#endif
 +#ifndef do_prctl_sme_set_vl
 +#define do_prctl_sme_set_vl do_prctl_inval1
 +#endif
  static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
                           abi_long arg3, abi_long arg4, abi_long arg5)
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
          return do_prctl_sve_get_vl(env);
      case PR_SVE_SET_VL:
          return do_prctl_sve_set_vl(env, arg2);
 +    case PR_SME_GET_VL:
 +        return do_prctl_sme_get_vl(env);
 +    case PR_SME_SET_VL:
 +        return do_prctl_sme_set_vl(env, arg2);
      case PR_PAC_RESET_KEYS:
          if (arg3 || arg4 || arg5) {
              return -TARGET_EINVAL;
 --
 .25.1

-[PULL 41/45] linux-user: Rename sve prctls
+[PULL 05/28] target/arm: Make the final stage1+2 write to secure be unconditional
 From: Richard Henderson <richard.henderson@linaro.org>
-Add "sve" to the sve prctl functions, to distinguish
+While the stage2 call to get_phys_addr_lpae should never set
-them from the coming "sme" prctls with similar names.
+attrs.secure when given a non-secure input, it's just as easy
 to make the final update to attrs.secure be unconditional and
 false in the case of non-secure input.
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221007152159.1414065-1-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-42-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/target_prctl.h |  8 ++++----
+ target/arm/ptw.c | 21 ++++++++++-----------
- linux-user/syscall.c              | 12 ++++++------
+file changed, 10 insertions(+), 11 deletions(-)
 files changed, 10 insertions(+), 10 deletions(-)
-diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/target_prctl.h
+--- a/target/arm/ptw.c
-+++ b/linux-user/aarch64/target_prctl.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
- #ifndef AARCH64_TARGET_PRCTL_H
+             result->cacheattrs = combine_cacheattrs(env, cacheattrs1,
- #define AARCH64_TARGET_PRCTL_H
+                                                     result->cacheattrs);
--static abi_long do_prctl_get_vl(CPUArchState *env)
+-            /* Check if IPA translates to secure or non-secure PA space. */
-+static abi_long do_prctl_sve_get_vl(CPUArchState *env)
+-            if (is_secure) {
- {
+-                if (ipa_secure) {
-     ARMCPU *cpu = env_archcpu(env);
+-                    result->attrs.secure =
-     if (cpu_isar_feature(aa64_sve, cpu)) {
+-                        !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW));
-@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_get_vl(CPUArchState *env)
+-                } else {
-     }
+-                    result->attrs.secure =
-     return -TARGET_EINVAL;
+-                        !((env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))
- }
+-                        || (env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW)));
--#define do_prctl_get_vl do_prctl_get_vl
+-                }
-+#define do_prctl_sve_get_vl do_prctl_sve_get_vl
+-            }
++            /*
--static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
++             * Check if IPA translates to secure or non-secure PA space.
-+static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
++             * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
- {
++             */
-     /*
++            result->attrs.secure =
-      * We cannot support either PR_SVE_SET_VL_ONEXEC or PR_SVE_VL_INHERIT.
++                (is_secure
-@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
++                 && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
-     }
++                 && (ipa_secure
-     return -TARGET_EINVAL;
++                     || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
- }
++
--#define do_prctl_set_vl do_prctl_set_vl
+             return 0;
-+#define do_prctl_sve_set_vl do_prctl_sve_set_vl
+         } else {
+             /*
  static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
  {
 diff --git a/linux-user/syscall.c b/linux-user/syscall.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/syscall.c
 +++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
  #ifndef do_prctl_set_fp_mode
  #define do_prctl_set_fp_mode do_prctl_inval1
  #endif
 -#ifndef do_prctl_get_vl
 -#define do_prctl_get_vl do_prctl_inval0
 +#ifndef do_prctl_sve_get_vl
 +#define do_prctl_sve_get_vl do_prctl_inval0
  #endif
 -#ifndef do_prctl_set_vl
 -#define do_prctl_set_vl do_prctl_inval1
 +#ifndef do_prctl_sve_set_vl
 +#define do_prctl_sve_set_vl do_prctl_inval1
  #endif
  #ifndef do_prctl_reset_keys
  #define do_prctl_reset_keys do_prctl_inval1
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
      case PR_SET_FP_MODE:
          return do_prctl_set_fp_mode(env, arg2);
      case PR_SVE_GET_VL:
 -        return do_prctl_get_vl(env);
 +        return do_prctl_sve_get_vl(env);
      case PR_SVE_SET_VL:
 -        return do_prctl_set_vl(env, arg2);
 +        return do_prctl_sve_set_vl(env, arg2);
      case PR_PAC_RESET_KEYS:
          if (arg3 || arg4 || arg5) {
              return -TARGET_EINVAL;
 --
 .25.1

-[PULL 18/45] target/arm: Implement SME ZERO
+[PULL 06/28] target/arm: Add is_secure parameter to get_phys_addr_lpae
 From: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Remove the use of regime_is_secure from get_phys_addr_lpae,
 using the new parameter instead.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-19-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper-sme.h    |  2 ++
+ target/arm/ptw.c | 20 ++++++++++----------
- target/arm/sme.decode      |  4 ++++
+file changed, 10 insertions(+), 10 deletions(-)
  target/arm/sme_helper.c    | 25 +++++++++++++++++++++++++
  target/arm/translate-sme.c | 13 +++++++++++++
 files changed, 44 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper-sme.h
++++ b/target/arm/ptw.c
 @@ -XXX,XX +XXX,XX @@
- DEF_HELPER_FLAGS_2(set_pstate_sm, TCG_CALL_NO_RWG, void, env, i32)
+ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
- DEF_HELPER_FLAGS_2(set_pstate_za, TCG_CALL_NO_RWG, void, env, i32)
+                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
-+
+-                               bool s1_is_el0, GetPhysAddrResult *result,
-+DEF_HELPER_FLAGS_3(sme_zero, TCG_CALL_NO_RWG, void, env, i32, i32)
+-                               ARMMMUFaultInfo *fi)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
++                               bool is_secure, bool s1_is_el0,
-index XXXXXXX..XXXXXXX 100644
++                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
---- a/target/arm/sme.decode
+     __attribute__((nonnull));
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@
+ /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
- #
+@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
- # This file is processed by scripts/decodetree.py
+         GetPhysAddrResult s2 = {};
- #
+         int ret;
-+
-+### SME Misc
+-        ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx, false,
-+
+-                                 &s2, fi);
-+ZERO            11000000 00 001 00000000000 imm:8
++        ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx,
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
++                                 *is_secure, false, &s2, fi);
-index XXXXXXX..XXXXXXX 100644
+         if (ret) {
---- a/target/arm/sme_helper.c
+             assert(fi->type != ARMFault_None);
-+++ b/target/arm/sme_helper.c
+             fi->s2addr = addr;
-@@ -XXX,XX +XXX,XX @@ void helper_set_pstate_za(CPUARMState *env, uint32_t i)
+@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
-         memset(env->zarray, 0, sizeof(env->zarray));
+  */
  static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
                                 MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                               bool s1_is_el0, GetPhysAddrResult *result,
 -                               ARMMMUFaultInfo *fi)
 +                               bool is_secure, bool s1_is_el0,
 +                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
  {
      ARMCPU *cpu = env_archcpu(env);
      /* Read an LPAE long-descriptor translation table. */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
       * remain non-secure. We implement this by just ORing in the NSTable/NS
       * bits at each step.
       */
 -    tableattrs = regime_is_secure(env, mmu_idx) ? 0 : (1 << 4);
 +    tableattrs = is_secure ? 0 : (1 << 4);
      for (;;) {
          uint64_t descriptor;
          bool nstable;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
              memset(result, 0, sizeof(*result));
              ret = get_phys_addr_lpae(env, ipa, access_type, s2_mmu_idx,
 -                                     is_el0, result, fi);
 +                                     s2walk_secure, is_el0, result, fi);
              fi->s2addr = ipa;
              /* Combine the S1 and S2 perms.  */
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
      }
- }
-+
+     if (regime_using_lpae_format(env, mmu_idx)) {
-+void helper_sme_zero(CPUARMState *env, uint32_t imm, uint32_t svl)
+-        return get_phys_addr_lpae(env, address, access_type, mmu_idx, false,
-+{
+-                                  result, fi);
-+    uint32_t i;
++        return get_phys_addr_lpae(env, address, access_type, mmu_idx,
-+
++                                  is_secure, false, result, fi);
-+    /*
+     } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
-+     * Special case clearing the entire ZA space.
+         return get_phys_addr_v6(env, address, access_type, mmu_idx,
-+     * This falls into the CONSTRAINED UNPREDICTABLE zeroing of any
+                                 is_secure, result, fi);
 +     * parts of the ZA storage outside of SVL.
 +     */
 +    if (imm == 0xff) {
 +        memset(env->zarray, 0, sizeof(env->zarray));
 +        return;
 +    }
 +
 +    /*
 +     * Recall that ZAnH.D[m] is spread across ZA[n+8*m],
 +     * so each row is discontiguous within ZA[].
 +     */
 +    for (i = 0; i < svl; i++) {
 +        if (imm & (1 << (i % 8))) {
 +            memset(&env->zarray[i], 0, svl);
 +        }
 +    }
 +}
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sme.c
 +++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "decode-sme.c.inc"
 +
 +
 +static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
 +{
 +    if (!dc_isar_feature(aa64_sme, s)) {
 +        return false;
 +    }
 +    if (sme_za_enabled_check(s)) {
 +        gen_helper_sme_zero(cpu_env, tcg_constant_i32(a->imm),
 +                            tcg_constant_i32(streaming_vec_reg_size(s)));
 +    }
 +    return true;
 +}
 --
 .25.1

-[PULL 29/45] target/arm: Implement REVD
+[PULL 07/28] target/arm: Fix S2 disabled check in S1_ptw_translate
 From: Richard Henderson <richard.henderson@linaro.org>
-This is an SVE instruction that operates using the SVE vector
+Pass the correct stage2 mmu_idx to regime_translation_disabled,
-length but that it is present only if SME is implemented.
+which we computed afterward.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221001162318.153420-4-richard.henderson@linaro.org
 Message-id: 20220708151540.18136-30-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper-sve.h    |  2 ++
+ target/arm/ptw.c | 6 +++---
- target/arm/sve.decode      |  1 +
+file changed, 3 insertions(+), 3 deletions(-)
  target/arm/sve_helper.c    | 16 ++++++++++++++++
  target/arm/translate-sve.c |  2 ++
 files changed, 21 insertions(+)
-diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sve.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper-sve.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sve_revh_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
+                                hwaddr addr, bool *is_secure,
- DEF_HELPER_FLAGS_4(sve_revw_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+                                ARMMMUFaultInfo *fi)
+ {
-+DEF_HELPER_FLAGS_4(sme_revd_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++    ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 +
- DEF_HELPER_FLAGS_4(sve_rbit_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+     if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
- DEF_HELPER_FLAGS_4(sve_rbit_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+-        !regime_translation_disabled(env, ARMMMUIdx_Stage2)) {
- DEF_HELPER_FLAGS_4(sve_rbit_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+-        ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
+-                                          : ARMMMUIdx_Stage2;
-index XXXXXXX..XXXXXXX 100644
++        !regime_translation_disabled(env, s2_mmu_idx)) {
---- a/target/arm/sve.decode
+         GetPhysAddrResult s2 = {};
-+++ b/target/arm/sve.decode
+         int ret;
@@ -XXX,XX +XXX,XX @@ REVB            00000101 .. 1001 00 100 ... ..... .....         @rd_pg_rn
  REVH            00000101 .. 1001 01 100 ... ..... .....         @rd_pg_rn
  REVW            00000101 .. 1001 10 100 ... ..... .....         @rd_pg_rn
  RBIT            00000101 .. 1001 11 100 ... ..... .....         @rd_pg_rn
 +REVD            00000101 00 1011 10 100 ... ..... .....         @rd_pg_rn_e0
  # SVE vector splice (predicated, destructive)
  SPLICE          00000101 .. 101 100 100 ... ..... .....         @rdn_pg_rm
 diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve_helper.c
 +++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_ZPZ_D(sve_revh_d, uint64_t, hswap64)
  DO_ZPZ_D(sve_revw_d, uint64_t, wswap64)
 +void HELPER(sme_revd_q)(void *vd, void *vn, void *vg, uint32_t desc)
 +{
 +    intptr_t i, opr_sz = simd_oprsz(desc) / 8;
 +    uint64_t *d = vd, *n = vn;
 +    uint8_t *pg = vg;
 +
 +    for (i = 0; i < opr_sz; i += 2) {
 +        if (pg[H1(i)] & 1) {
 +            uint64_t n0 = n[i + 0];
 +            uint64_t n1 = n[i + 1];
 +            d[i + 0] = n1;
 +            d[i + 1] = n0;
 +        }
 +    }
 +}
 +
  DO_ZPZ(sve_rbit_b, uint8_t, H1, revbit8)
  DO_ZPZ(sve_rbit_h, uint16_t, H1_2, revbit16)
  DO_ZPZ(sve_rbit_s, uint32_t, H1_4, revbit32)
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(REVH, aa64_sve, gen_gvec_ool_arg_zpz, revh_fns[a->esz], a, 0)
  TRANS_FEAT(REVW, aa64_sve, gen_gvec_ool_arg_zpz,
             a->esz == 3 ? gen_helper_sve_revw_d : NULL, a, 0)
 +TRANS_FEAT(REVD, aa64_sme, gen_gvec_ool_arg_zpz, gen_helper_sme_revd_q, a, 0)
 +
  TRANS_FEAT(SPLICE, aa64_sve, gen_gvec_ool_arg_zpzz,
             gen_helper_sve_splice, a, a->esz)
 --
 .25.1

-[PULL 19/45] target/arm: Implement SME MOVA
+[PULL 08/28] target/arm: Add is_secure parameter to regime_translation_disabled
 From: Richard Henderson <richard.henderson@linaro.org>
-We can reuse the SVE functions for implementing moves to/from
+Remove the use of regime_is_secure from regime_translation_disabled,
-horizontal tile slices, but we need new ones for moves to/from
+using the new parameter instead.
-vertical tile slices.
 This fixes a bug in S1_ptw_translate and get_phys_addr where we had
 passed ARMMMUIdx_Stage2 and not ARMMMUIdx_Stage2_S to determine if
 Stage2 is disabled, affecting FEAT_SEL2.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-20-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper-sme.h    |  12 +++
+ target/arm/ptw.c | 20 +++++++++++---------
- target/arm/helper-sve.h    |   2 +
+file changed, 11 insertions(+), 9 deletions(-)
  target/arm/translate-a64.h |   8 ++
  target/arm/translate.h     |   5 ++
  target/arm/sme.decode      |  15 ++++
  target/arm/sme_helper.c    | 151 ++++++++++++++++++++++++++++++++++++-
  target/arm/sve_helper.c    |  12 +++
  target/arm/translate-sme.c | 127 +++++++++++++++++++++++++++++++
 files changed, 331 insertions(+), 1 deletion(-)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper-sme.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_2(set_pstate_sm, TCG_CALL_NO_RWG, void, env, i32)
+@@ -XXX,XX +XXX,XX @@ static uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn)
  DEF_HELPER_FLAGS_2(set_pstate_za, TCG_CALL_NO_RWG, void, env, i32)
  DEF_HELPER_FLAGS_3(sme_zero, TCG_CALL_NO_RWG, void, env, i32, i32)
 +
 +/* Move to/from vertical array slices, i.e. columns, so 'c'.  */
 +DEF_HELPER_FLAGS_4(sme_mova_cz_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_cz_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_cz_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper-sve.h
 +++ b/target/arm/helper-sve.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sve_sel_zpzz_s, TCG_CALL_NO_RWG,
                     void, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_5(sve_sel_zpzz_d, TCG_CALL_NO_RWG,
                     void, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_5(sve_sel_zpzz_q, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_5(sve2_addp_zpzz_b, TCG_CALL_NO_RWG,
                     void, ptr, ptr, ptr, ptr, i32)
 diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.h
 +++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
      return size_for_gvec(pred_full_reg_size(s));
  }
-+/* Return a newly allocated pointer to the predicate register.  */
+ /* Return true if the specified stage of address translation is disabled */
-+static inline TCGv_ptr pred_full_reg_ptr(DisasContext *s, int regno)
+-static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx)
-+{
++static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
-+    TCGv_ptr ret = tcg_temp_new_ptr();
++                                        bool is_secure)
 +    tcg_gen_addi_ptr(ret, cpu_env, pred_full_reg_offset(s, regno));
 +    return ret;
 +}
 +
  bool disas_sve(DisasContext *, uint32_t);
  bool disas_sme(DisasContext *, uint32_t);
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ static inline int plus_2(DisasContext *s, int x)
      return x + 2;
  }
 +static inline int plus_12(DisasContext *s, int x)
 +{
 +    return x + 12;
 +}
 +
  static inline int times_2(DisasContext *s, int x)
  {
-     return x * 2;
+     uint64_t hcr_el2;
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
+     if (arm_feature(env, ARM_FEATURE_M)) {
---- a/target/arm/sme.decode
+-        switch (env->v7m.mpu_ctrl[regime_is_secure(env, mmu_idx)] &
-+++ b/target/arm/sme.decode
++        switch (env->v7m.mpu_ctrl[is_secure] &
-@@ -XXX,XX +XXX,XX @@
+                 (R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK)) {
- ### SME Misc
+         case R_V7M_MPU_CTRL_ENABLE_MASK:
+             /* Enabled, but not for HardFault and NMI */
- ZERO            11000000 00 001 00000000000 imm:8
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx)
-+
-+### SME Move into/from Array
+     if (hcr_el2 & HCR_TGE) {
-+
+         /* TGE means that NS EL0/1 act as if SCTLR_EL1.M is zero */
-+%mova_rs        13:2 !function=plus_12
+-        if (!regime_is_secure(env, mmu_idx) && regime_el(env, mmu_idx) == 1) {
-+&mova           esz rs pg zr za_imm v:bool to_vec:bool
++        if (!is_secure && regime_el(env, mmu_idx) == 1) {
-+
+             return true;
 +MOVA            11000000 esz:2 00000 0 v:1 .. pg:3 zr:5 0 za_imm:4  \
 +                &mova to_vec=0 rs=%mova_rs
 +MOVA            11000000 11    00000 1 v:1 .. pg:3 zr:5 0 za_imm:4  \
 +                &mova to_vec=0 rs=%mova_rs esz=4
 +
 +MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
 +                &mova to_vec=1 rs=%mova_rs
 +MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
 +                &mova to_vec=1 rs=%mova_rs esz=4
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "cpu.h"
 -#include "internals.h"
 +#include "tcg/tcg-gvec-desc.h"
  #include "exec/helper-proto.h"
 +#include "qemu/int128.h"
 +#include "vec_internal.h"
  /* ResetSVEState */
  void arm_reset_sve_state(CPUARMState *env)
@@ -XXX,XX +XXX,XX @@ void helper_sme_zero(CPUARMState *env, uint32_t imm, uint32_t svl)
          }
      }
- }
+@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-+
+     ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
-+
-+/*
+     if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
-+ * When considering the ZA storage as an array of elements of
+-        !regime_translation_disabled(env, s2_mmu_idx)) {
-+ * type T, the index within that array of the Nth element of
++        !regime_translation_disabled(env, s2_mmu_idx, *is_secure)) {
-+ * a vertical slice of a tile can be calculated like this,
+         GetPhysAddrResult s2 = {};
-+ * regardless of the size of type T. This is because the tiles
+         int ret;
-+ * are interleaved, so if type T is size N bytes then row 1 of
-+ * the tile is N rows away from row 0. The division by N to
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
-+ * convert a byte offset into an array index and the multiplication
+     uint32_t base;
-+ * by N to convert from vslice-index-within-the-tile to
+     bool is_user = regime_is_user(env, mmu_idx);
-+ * the index within the ZA storage cancel out.
-+ */
+-    if (regime_translation_disabled(env, mmu_idx)) {
-+#define tile_vslice_index(i) ((i) * sizeof(ARMVectorReg))
++    if (regime_translation_disabled(env, mmu_idx, is_secure)) {
-+
+         /* MPU disabled.  */
-+/*
+         result->phys = address;
-+ * When doing byte arithmetic on the ZA storage, the element
+         result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-+ * byteoff bytes away in a tile vertical slice is always this
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
-+ * many bytes away in the ZA storage, regardless of the
+     result->page_size = TARGET_PAGE_SIZE;
-+ * size of the tile element, assuming that byteoff is a multiple
+     result->prot = 0;
-+ * of the element size. Again this is because of the interleaving
-+ * of the tiles. For instance if we have 1 byte per element then
+-    if (regime_translation_disabled(env, mmu_idx) ||
-+ * each row of the ZA storage has one byte of the vslice data,
++    if (regime_translation_disabled(env, mmu_idx, secure) ||
-+ * and (counting from 0) byte 8 goes in row 8 of the storage
+         m_is_ppb_region(env, address)) {
-+ * at offset (8 * row-size-in-bytes).
+         /*
-+ * If we have 8 bytes per element then each row of the ZA storage
+          * MPU disabled or M profile PPB access: use default memory map.
-+ * has 8 bytes of the data, but there are 8 interleaved tiles and
+@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
-+ * so byte 8 of the data goes into row 1 of the tile,
+      * are done in arm_v7m_load_vector(), which always does a direct
-+ * which is again row 8 of the storage, so the offset is still
+      * read using address_space_ldl(), rather than going via this function.
-+ * (8 * row-size-in-bytes). Similarly for other element sizes.
+      */
-+ */
+-    if (regime_translation_disabled(env, mmu_idx)) { /* MPU disabled */
-+#define tile_vslice_offset(byteoff) ((byteoff) * sizeof(ARMVectorReg))
++    if (regime_translation_disabled(env, mmu_idx, secure)) { /* MPU disabled */
-+
+         hit = true;
-+
+     } else if (m_is_ppb_region(env, address)) {
-+/*
+         hit = true;
-+ * Move Zreg vector to ZArray column.
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
-+ */
+                                 result, fi);
-+#define DO_MOVA_C(NAME, TYPE, H)                                        \
-+void HELPER(NAME)(void *za, void *vn, void *vg, uint32_t desc)          \
+             /* If S1 fails or S2 is disabled, return early.  */
-+{                                                                       \
+-            if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2)) {
-+    int i, oprsz = simd_oprsz(desc);                                    \
++            if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2,
-+    for (i = 0; i < oprsz; ) {                                          \
++                                                   is_secure)) {
-+        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
+                 return ret;
-+        do {                                                            \
+             }
-+            if (pg & 1) {                                               \
-+                *(TYPE *)(za + tile_vslice_offset(i)) = *(TYPE *)(vn + H(i)); \
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
-+            }                                                           \
-+            i += sizeof(TYPE);                                          \
+     /* Definitely a real MMU, not an MPU */
-+            pg >>= sizeof(TYPE);                                        \
-+        } while (i & 15);                                               \
+-    if (regime_translation_disabled(env, mmu_idx)) {
-+    }                                                                   \
++    if (regime_translation_disabled(env, mmu_idx, is_secure)) {
-+}
+         uint64_t hcr;
-+
+         uint8_t memattr;
-+DO_MOVA_C(sme_mova_cz_b, uint8_t, H1)
 +DO_MOVA_C(sme_mova_cz_h, uint16_t, H1_2)
 +DO_MOVA_C(sme_mova_cz_s, uint32_t, H1_4)
 +
 +void HELPER(sme_mova_cz_d)(void *za, void *vn, void *vg, uint32_t desc)
 +{
 +    int i, oprsz = simd_oprsz(desc) / 8;
 +    uint8_t *pg = vg;
 +    uint64_t *n = vn;
 +    uint64_t *a = za;
 +
 +    for (i = 0; i < oprsz; i++) {
 +        if (pg[H1(i)] & 1) {
 +            a[tile_vslice_index(i)] = n[i];
 +        }
 +    }
 +}
 +
 +void HELPER(sme_mova_cz_q)(void *za, void *vn, void *vg, uint32_t desc)
 +{
 +    int i, oprsz = simd_oprsz(desc) / 16;
 +    uint16_t *pg = vg;
 +    Int128 *n = vn;
 +    Int128 *a = za;
 +
 +    /*
 +     * Int128 is used here simply to copy 16 bytes, and to simplify
 +     * the address arithmetic.
 +     */
 +    for (i = 0; i < oprsz; i++) {
 +        if (pg[H2(i)] & 1) {
 +            a[tile_vslice_index(i)] = n[i];
 +        }
 +    }
 +}
 +
 +#undef DO_MOVA_C
 +
 +/*
 + * Move ZArray column to Zreg vector.
 + */
 +#define DO_MOVA_Z(NAME, TYPE, H)                                        \
 +void HELPER(NAME)(void *vd, void *za, void *vg, uint32_t desc)          \
 +{                                                                       \
 +    int i, oprsz = simd_oprsz(desc);                                    \
 +    for (i = 0; i < oprsz; ) {                                          \
 +        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
 +        do {                                                            \
 +            if (pg & 1) {                                               \
 +                *(TYPE *)(vd + H(i)) = *(TYPE *)(za + tile_vslice_offset(i)); \
 +            }                                                           \
 +            i += sizeof(TYPE);                                          \
 +            pg >>= sizeof(TYPE);                                        \
 +        } while (i & 15);                                               \
 +    }                                                                   \
 +}
 +
 +DO_MOVA_Z(sme_mova_zc_b, uint8_t, H1)
 +DO_MOVA_Z(sme_mova_zc_h, uint16_t, H1_2)
 +DO_MOVA_Z(sme_mova_zc_s, uint32_t, H1_4)
 +
 +void HELPER(sme_mova_zc_d)(void *vd, void *za, void *vg, uint32_t desc)
 +{
 +    int i, oprsz = simd_oprsz(desc) / 8;
 +    uint8_t *pg = vg;
 +    uint64_t *d = vd;
 +    uint64_t *a = za;
 +
 +    for (i = 0; i < oprsz; i++) {
 +        if (pg[H1(i)] & 1) {
 +            d[i] = a[tile_vslice_index(i)];
 +        }
 +    }
 +}
 +
 +void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
 +{
 +    int i, oprsz = simd_oprsz(desc) / 16;
 +    uint16_t *pg = vg;
 +    Int128 *d = vd;
 +    Int128 *a = za;
 +
 +    /*
 +     * Int128 is used here simply to copy 16 bytes, and to simplify
 +     * the address arithmetic.
 +     */
 +    for (i = 0; i < oprsz; i++, za += sizeof(ARMVectorReg)) {
 +        if (pg[H2(i)] & 1) {
 +            d[i] = a[tile_vslice_index(i)];
 +        }
 +    }
 +}
 +
 +#undef DO_MOVA_Z
 diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve_helper.c
 +++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_sel_zpzz_d)(void *vd, void *vn, void *vm,
      }
  }
 +void HELPER(sve_sel_zpzz_q)(void *vd, void *vn, void *vm,
 +                            void *vg, uint32_t desc)
 +{
 +    intptr_t i, opr_sz = simd_oprsz(desc) / 16;
 +    Int128 *d = vd, *n = vn, *m = vm;
 +    uint16_t *pg = vg;
 +
 +    for (i = 0; i < opr_sz; i += 1) {
 +        d[i] = (pg[H2(i)] & 1 ? n : m)[i];
 +    }
 +}
 +
  /* Two operand comparison controlled by a predicate.
   * ??? It is very tempting to want to be able to expand this inline
   * with x86 instructions, e.g.
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sme.c
 +++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@
  #include "decode-sme.c.inc"
 +/*
 + * Resolve tile.size[index] to a host pointer, where tile and index
 + * are always decoded together, dependent on the element size.
 + */
 +static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
 +                                int tile_index, bool vertical)
 +{
 +    int tile = tile_index >> (4 - esz);
 +    int index = esz == MO_128 ? 0 : extract32(tile_index, 0, 4 - esz);
 +    int pos, len, offset;
 +    TCGv_i32 tmp;
 +    TCGv_ptr addr;
 +
 +    /* Compute the final index, which is Rs+imm. */
 +    tmp = tcg_temp_new_i32();
 +    tcg_gen_trunc_tl_i32(tmp, cpu_reg(s, rs));
 +    tcg_gen_addi_i32(tmp, tmp, index);
 +
 +    /* Prepare a power-of-two modulo via extraction of @len bits. */
 +    len = ctz32(streaming_vec_reg_size(s)) - esz;
 +
 +    if (vertical) {
 +        /*
 +         * Compute the byte offset of the index within the tile:
 +         *     (index % (svl / size)) * size
 +         *   = (index % (svl >> esz)) << esz
 +         * Perform the power-of-two modulo via extraction of the low @len bits.
 +         * Perform the multiply by shifting left by @pos bits.
 +         * Perform these operations simultaneously via deposit into zero.
 +         */
 +        pos = esz;
 +        tcg_gen_deposit_z_i32(tmp, tmp, pos, len);
 +
 +        /*
 +         * For big-endian, adjust the indexed column byte offset within
 +         * the uint64_t host words that make up env->zarray[].
 +         */
 +        if (HOST_BIG_ENDIAN && esz < MO_64) {
 +            tcg_gen_xori_i32(tmp, tmp, 8 - (1 << esz));
 +        }
 +    } else {
 +        /*
 +         * Compute the byte offset of the index within the tile:
 +         *     (index % (svl / size)) * (size * sizeof(row))
 +         *   = (index % (svl >> esz)) << (esz + log2(sizeof(row)))
 +         */
 +        pos = esz + ctz32(sizeof(ARMVectorReg));
 +        tcg_gen_deposit_z_i32(tmp, tmp, pos, len);
 +
 +        /* Row slices are always aligned and need no endian adjustment. */
 +    }
 +
 +    /* The tile byte offset within env->zarray is the row. */
 +    offset = tile * sizeof(ARMVectorReg);
 +
 +    /* Include the byte offset of zarray to make this relative to env. */
 +    offset += offsetof(CPUARMState, zarray);
 +    tcg_gen_addi_i32(tmp, tmp, offset);
 +
 +    /* Add the byte offset to env to produce the final pointer. */
 +    addr = tcg_temp_new_ptr();
 +    tcg_gen_ext_i32_ptr(addr, tmp);
 +    tcg_temp_free_i32(tmp);
 +    tcg_gen_add_ptr(addr, addr, cpu_env);
 +
 +    return addr;
 +}
 +
  static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
  {
      if (!dc_isar_feature(aa64_sme, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
      }
      return true;
  }
 +
 +static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
 +{
 +    static gen_helper_gvec_4 * const h_fns[5] = {
 +        gen_helper_sve_sel_zpzz_b, gen_helper_sve_sel_zpzz_h,
 +        gen_helper_sve_sel_zpzz_s, gen_helper_sve_sel_zpzz_d,
 +        gen_helper_sve_sel_zpzz_q
 +    };
 +    static gen_helper_gvec_3 * const cz_fns[5] = {
 +        gen_helper_sme_mova_cz_b, gen_helper_sme_mova_cz_h,
 +        gen_helper_sme_mova_cz_s, gen_helper_sme_mova_cz_d,
 +        gen_helper_sme_mova_cz_q,
 +    };
 +    static gen_helper_gvec_3 * const zc_fns[5] = {
 +        gen_helper_sme_mova_zc_b, gen_helper_sme_mova_zc_h,
 +        gen_helper_sme_mova_zc_s, gen_helper_sme_mova_zc_d,
 +        gen_helper_sme_mova_zc_q,
 +    };
 +
 +    TCGv_ptr t_za, t_zr, t_pg;
 +    TCGv_i32 t_desc;
 +    int svl;
 +
 +    if (!dc_isar_feature(aa64_sme, s)) {
 +        return false;
 +    }
 +    if (!sme_smza_enabled_check(s)) {
 +        return true;
 +    }
 +
 +    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
 +    t_zr = vec_full_reg_ptr(s, a->zr);
 +    t_pg = pred_full_reg_ptr(s, a->pg);
 +
 +    svl = streaming_vec_reg_size(s);
 +    t_desc = tcg_constant_i32(simd_desc(svl, svl, 0));
 +
 +    if (a->v) {
 +        /* Vertical slice -- use sme mova helpers. */
 +        if (a->to_vec) {
 +            zc_fns[a->esz](t_zr, t_za, t_pg, t_desc);
 +        } else {
 +            cz_fns[a->esz](t_za, t_zr, t_pg, t_desc);
 +        }
 +    } else {
 +        /* Horizontal slice -- reuse sve sel helpers. */
 +        if (a->to_vec) {
 +            h_fns[a->esz](t_zr, t_za, t_zr, t_pg, t_desc);
 +        } else {
 +            h_fns[a->esz](t_za, t_zr, t_za, t_pg, t_desc);
 +        }
 +    }
 +
 +    tcg_temp_free_ptr(t_za);
 +    tcg_temp_free_ptr(t_zr);
 +    tcg_temp_free_ptr(t_pg);
 +
 +    return true;
 +}
 --
 .25.1

-[PULL 27/45] target/arm: Implement SME integer outer product
+[PULL 09/28] target/arm: Split out get_phys_addr_with_secure
 From: Richard Henderson <richard.henderson@linaro.org>
-This is SMOPA, SUMOPA, USMOPA_s, UMOPA, for both Int8 and Int16.
+Retain the existing get_phys_addr interface using the security
 state derived from mmu_idx.  Move the kerneldoc comments to the
 header file where they belong.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-28-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-6-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper-sme.h    | 16 ++++++++
+ target/arm/internals.h | 40 ++++++++++++++++++++++++++++++++++++++
- target/arm/sme.decode      | 10 +++++
+ target/arm/ptw.c       | 44 ++++++++++++++----------------------------
- target/arm/sme_helper.c    | 82 ++++++++++++++++++++++++++++++++++++++
+files changed, 55 insertions(+), 29 deletions(-)
  target/arm/translate-sme.c | 10 +++++
 files changed, 118 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
+--- a/target/arm/internals.h
-+++ b/target/arm/helper-sme.h
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
+@@ -XXX,XX +XXX,XX @@ typedef struct GetPhysAddrResult {
-                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+     ARMCacheAttrs cacheattrs;
- DEF_HELPER_FLAGS_6(sme_bfmopa, TCG_CALL_NO_RWG,
+ } GetPhysAddrResult;
-                    void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_smopa_s, TCG_CALL_NO_RWG,
++/**
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
++ * get_phys_addr_with_secure: get the physical address for a virtual address
-+DEF_HELPER_FLAGS_6(sme_umopa_s, TCG_CALL_NO_RWG,
++ * @env: CPUARMState
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
++ * @address: virtual address to get physical address for
-+DEF_HELPER_FLAGS_6(sme_sumopa_s, TCG_CALL_NO_RWG,
++ * @access_type: 0 for read, 1 for write, 2 for execute
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
++ * @mmu_idx: MMU index indicating required translation regime
-+DEF_HELPER_FLAGS_6(sme_usmopa_s, TCG_CALL_NO_RWG,
++ * @is_secure: security state for the access
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
++ * @result: set on translation success.
-+DEF_HELPER_FLAGS_6(sme_smopa_d, TCG_CALL_NO_RWG,
++ * @fi: set to fault info if the translation fails
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
++ *
-+DEF_HELPER_FLAGS_6(sme_umopa_d, TCG_CALL_NO_RWG,
++ * Find the physical address corresponding to the given virtual address,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
++ * by doing a translation table walk on MMU based systems or using the
-+DEF_HELPER_FLAGS_6(sme_sumopa_d, TCG_CALL_NO_RWG,
++ * MPU state on MPU based systems.
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
++ *
-+DEF_HELPER_FLAGS_6(sme_usmopa_d, TCG_CALL_NO_RWG,
++ * Returns false if the translation was successful. Otherwise, phys_ptr, attrs,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
++ * prot and page_size may not be filled in, and the populated fsr value provides
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
++ * information on why the translation aborted, in the format of a
 + * DFSR/IFSR fault register, with the following caveats:
 + *  * we honour the short vs long DFSR format differences.
 + *  * the WnR bit is never set (the caller must do this).
 + *  * for PSMAv5 based systems we don't bother to return a full FSR format
 + *    value.
 + */
 +bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
 +                               MMUAccessType access_type,
 +                               ARMMMUIdx mmu_idx, bool is_secure,
 +                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 +    __attribute__((nonnull));
 +
 +/**
 + * get_phys_addr: get the physical address for a virtual address
 + * @env: CPUARMState
 + * @address: virtual address to get physical address for
 + * @access_type: 0 for read, 1 for write, 2 for execute
 + * @mmu_idx: MMU index indicating required translation regime
 + * @result: set on translation success.
 + * @fi: set to fault info if the translation fails
 + *
 + * Similarly, but use the security regime of @mmu_idx.
 + */
  bool get_phys_addr(CPUARMState *env, target_ulong address,
                     MMUAccessType access_type, ARMMMUIdx mmu_idx,
                     GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
+--- a/target/arm/ptw.c
-+++ b/target/arm/sme.decode
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
+@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
+     return ret;
- BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
+ }
- FMOPA_h         10000001 101 ..... ... ... ..... . 00 ..        @op_32
-+
+-/**
-+SMOPA_s         1010000 0 10 0 ..... ... ... ..... . 00 ..      @op_32
+- * get_phys_addr - get the physical address for this virtual address
-+SUMOPA_s        1010000 0 10 1 ..... ... ... ..... . 00 ..      @op_32
+- *
-+USMOPA_s        1010000 1 10 0 ..... ... ... ..... . 00 ..      @op_32
+- * Find the physical address corresponding to the given virtual address,
-+UMOPA_s         1010000 1 10 1 ..... ... ... ..... . 00 ..      @op_32
+- * by doing a translation table walk on MMU based systems or using the
-+
+- * MPU state on MPU based systems.
-+SMOPA_d         1010000 0 11 0 ..... ... ... ..... . 0 ...      @op_64
+- *
-+SUMOPA_d        1010000 0 11 1 ..... ... ... ..... . 0 ...      @op_64
+- * Returns false if the translation was successful. Otherwise, phys_ptr, attrs,
-+USMOPA_d        1010000 1 11 0 ..... ... ... ..... . 0 ...      @op_64
+- * prot and page_size may not be filled in, and the populated fsr value provides
-+UMOPA_d         1010000 1 11 1 ..... ... ... ..... . 0 ...      @op_64
+- * information on why the translation aborted, in the format of a
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
+- * DFSR/IFSR fault register, with the following caveats:
-index XXXXXXX..XXXXXXX 100644
+- *  * we honour the short vs long DFSR format differences.
---- a/target/arm/sme_helper.c
+- *  * the WnR bit is never set (the caller must do this).
-+++ b/target/arm/sme_helper.c
+- *  * for PSMAv5 based systems we don't bother to return a full FSR format
-@@ -XXX,XX +XXX,XX @@ void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
+- *    value.
-         } while (row & 15);
+- *
 - * @env: CPUARMState
 - * @address: virtual address to get physical address for
 - * @access_type: 0 for read, 1 for write, 2 for execute
 - * @mmu_idx: MMU index indicating required translation regime
 - * @result: set on translation success.
 - * @fi: set to fault info if the translation fails
 - */
 -bool get_phys_addr(CPUARMState *env, target_ulong address,
 -                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                   GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 +bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
 +                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
 +                               bool is_secure, GetPhysAddrResult *result,
 +                               ARMMMUFaultInfo *fi)
  {
      ARMMMUIdx s1_mmu_idx = stage_1_mmu_idx(mmu_idx);
 -    bool is_secure = regime_is_secure(env, mmu_idx);
      if (mmu_idx != s1_mmu_idx) {
          /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
              ARMMMUIdx s2_mmu_idx;
              bool is_el0;
 -            ret = get_phys_addr(env, address, access_type, s1_mmu_idx,
 -                                result, fi);
 +            ret = get_phys_addr_with_secure(env, address, access_type,
 +                                            s1_mmu_idx, is_secure, result, fi);
              /* If S1 fails or S2 is disabled, return early.  */
              if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
      }
  }
-+
-+typedef uint64_t IMOPFn(uint64_t, uint64_t, uint64_t, uint8_t, bool);
++bool get_phys_addr(CPUARMState *env, target_ulong address,
-+
++                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
-+static inline void do_imopa(uint64_t *za, uint64_t *zn, uint64_t *zm,
++                   GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 +                            uint8_t *pn, uint8_t *pm,
 +                            uint32_t desc, IMOPFn *fn)
 +{
-+    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
++    return get_phys_addr_with_secure(env, address, access_type, mmu_idx,
-+    bool neg = simd_data(desc);
++                                     regime_is_secure(env, mmu_idx),
-+
++                                     result, fi);
 +    for (row = 0; row < oprsz; ++row) {
 +        uint8_t pa = pn[H1(row)];
 +        uint64_t *za_row = &za[tile_vslice_index(row)];
 +        uint64_t n = zn[row];
 +
 +        for (col = 0; col < oprsz; ++col) {
 +            uint8_t pb = pm[H1(col)];
 +            uint64_t *a = &za_row[col];
 +
 +            *a = fn(n, zm[col], *a, pa & pb, neg);
 +        }
 +    }
 +}
 +
-+#define DEF_IMOP_32(NAME, NTYPE, MTYPE) \
+ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
-+static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
+                                          MemTxAttrs *attrs)
-+{                                                                           \
+ {
 +    uint32_t sum0 = 0, sum1 = 0;                                            \
 +    /* Apply P to N as a mask, making the inactive elements 0. */           \
 +    n &= expand_pred_b(p);                                                  \
 +    sum0 += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                              \
 +    sum0 += (NTYPE)(n >> 8) * (MTYPE)(m >> 8);                              \
 +    sum0 += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                            \
 +    sum0 += (NTYPE)(n >> 24) * (MTYPE)(m >> 24);                            \
 +    sum1 += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                            \
 +    sum1 += (NTYPE)(n >> 40) * (MTYPE)(m >> 40);                            \
 +    sum1 += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                            \
 +    sum1 += (NTYPE)(n >> 56) * (MTYPE)(m >> 56);                            \
 +    if (neg) {                                                              \
 +        sum0 = (uint32_t)a - sum0, sum1 = (uint32_t)(a >> 32) - sum1;       \
 +    } else {                                                                \
 +        sum0 = (uint32_t)a + sum0, sum1 = (uint32_t)(a >> 32) + sum1;       \
 +    }                                                                       \
 +    return ((uint64_t)sum1 << 32) | sum0;                                   \
 +}
 +
 +#define DEF_IMOP_64(NAME, NTYPE, MTYPE) \
 +static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
 +{                                                                           \
 +    uint64_t sum = 0;                                                       \
 +    /* Apply P to N as a mask, making the inactive elements 0. */           \
 +    n &= expand_pred_h(p);                                                  \
 +    sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                               \
 +    sum += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                             \
 +    sum += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                             \
 +    sum += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                             \
 +    return neg ? a - sum : a + sum;                                         \
 +}
 +
 +DEF_IMOP_32(smopa_s, int8_t, int8_t)
 +DEF_IMOP_32(umopa_s, uint8_t, uint8_t)
 +DEF_IMOP_32(sumopa_s, int8_t, uint8_t)
 +DEF_IMOP_32(usmopa_s, uint8_t, int8_t)
 +
 +DEF_IMOP_64(smopa_d, int16_t, int16_t)
 +DEF_IMOP_64(umopa_d, uint16_t, uint16_t)
 +DEF_IMOP_64(sumopa_d, int16_t, uint16_t)
 +DEF_IMOP_64(usmopa_d, uint16_t, int16_t)
 +
 +#define DEF_IMOPH(NAME) \
 +    void HELPER(sme_##NAME)(void *vza, void *vzn, void *vzm, void *vpn,      \
 +                            void *vpm, uint32_t desc)                        \
 +    { do_imopa(vza, vzn, vzm, vpn, vpm, desc, NAME); }
 +
 +DEF_IMOPH(smopa_s)
 +DEF_IMOPH(umopa_s)
 +DEF_IMOPH(sumopa_s)
 +DEF_IMOPH(usmopa_s)
 +DEF_IMOPH(smopa_d)
 +DEF_IMOPH(umopa_d)
 +DEF_IMOPH(sumopa_d)
 +DEF_IMOPH(usmopa_d)
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sme.c
 +++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_f
  /* TODO: FEAT_EBF16 */
  TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
 +
 +TRANS_FEAT(SMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_smopa_s)
 +TRANS_FEAT(UMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_umopa_s)
 +TRANS_FEAT(SUMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_sumopa_s)
 +TRANS_FEAT(USMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_usmopa_s)
 +
 +TRANS_FEAT(SMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_smopa_d)
 +TRANS_FEAT(UMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_umopa_d)
 +TRANS_FEAT(SUMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_sumopa_d)
 +TRANS_FEAT(USMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_usmopa_d)
 --
 .25.1

-[PULL 40/45] linux-user/aarch64: Implement SME signal handling
+[PULL 10/28] target/arm: Add is_secure parameter to v7m_read_half_insn
 From: Richard Henderson <richard.henderson@linaro.org>
-Set the SM bit in the SVE record on signal delivery, create the ZA record.
+Remove the use of regime_is_secure from v7m_read_half_insn, using
-Restore SM and ZA state according to the records present on return.
+the new parameter instead.
 As it happens, both callers pass true, propagated from the argument
 to arm_v7m_mmu_idx_for_secstate which created the mmu_idx argument,
 but that is a detail of v7m_handle_execute_nsc we need not expose
 to the callee.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-41-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-7-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/signal.c | 167 +++++++++++++++++++++++++++++++++---
+ target/arm/m_helper.c | 9 ++++-----
-file changed, 154 insertions(+), 13 deletions(-)
+file changed, 4 insertions(+), 5 deletions(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/arm/m_helper.c
-+++ b/linux-user/aarch64/signal.c
++++ b/target/arm/m_helper.c
-@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
+@@ -XXX,XX +XXX,XX @@ static bool do_v7m_function_return(ARMCPU *cpu)
+     return true;
  #define TARGET_SVE_SIG_FLAG_SM  1
 +#define TARGET_ZA_MAGIC        0x54366345
 +
 +struct target_za_context {
 +    struct target_aarch64_ctx head;
 +    uint16_t vl;
 +    uint16_t reserved[3];
 +    /* The actual ZA data immediately follows. */
 +};
 +
 +#define TARGET_ZA_SIG_REGS_OFFSET \
 +    QEMU_ALIGN_UP(sizeof(struct target_za_context), TARGET_SVE_VQ_BYTES)
 +#define TARGET_ZA_SIG_ZAV_OFFSET(VQ, N) \
 +    (TARGET_ZA_SIG_REGS_OFFSET + (VQ) * TARGET_SVE_VQ_BYTES * (N))
 +#define TARGET_ZA_SIG_CONTEXT_SIZE(VQ) \
 +    TARGET_ZA_SIG_ZAV_OFFSET(VQ, VQ * TARGET_SVE_VQ_BYTES)
 +
  struct target_rt_sigframe {
      struct target_siginfo info;
      struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_end_record(struct target_aarch64_ctx *end)
  }
- static void target_setup_sve_record(struct target_sve_context *sve,
+-static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
--                                    CPUARMState *env, int vq, int size)
++static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool secure,
-+                                    CPUARMState *env, int size)
+                                uint32_t addr, uint16_t *insn)
  {
--    int i, j;
+     /*
-+    int i, j, vq = sve_vq(env);
+@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
+     ARMMMUFaultInfo fi = {};
-     memset(sve, 0, sizeof(*sve));
+     MemTxResult txres;
-     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
-@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
+-    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx,
-     }
+-                        regime_is_secure(env, mmu_idx), &sattrs);
- }
++    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, secure, &sattrs);
+     if (!sattrs.nsc || sattrs.ns) {
-+static void target_setup_za_record(struct target_za_context *za,
+         /*
-+                                   CPUARMState *env, int size)
+          * This must be the second half of the insn, and it straddles a
-+{
+@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
-+    int vq = sme_vq(env);
+     /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
-+    int vl = vq * TARGET_SVE_VQ_BYTES;
+     mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
-+    int i, j;
-+
+-    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
-+    memset(za, 0, sizeof(*za));
++    if (!v7m_read_half_insn(cpu, mmu_idx, true, env->regs[15], &insn)) {
 +    __put_user(TARGET_ZA_MAGIC, &za->head.magic);
 +    __put_user(size, &za->head.size);
 +    __put_user(vl, &za->vl);
 +
 +    if (size == TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
 +        return;
 +    }
 +    assert(size == TARGET_ZA_SIG_CONTEXT_SIZE(vq));
 +
 +    /*
 +     * Note that ZA vectors are stored as a byte stream,
 +     * with each byte element at a subsequent address.
 +     */
 +    for (i = 0; i < vl; ++i) {
 +        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
 +        for (j = 0; j < vq * 2; ++j) {
 +            __put_user_e(env->zarray[i].d[j], z + j, le);
 +        }
 +    }
 +}
 +
  static void target_restore_general_frame(CPUARMState *env,
                                           struct target_rt_sigframe *sf)
  {
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
  static bool target_restore_sve_record(CPUARMState *env,
                                        struct target_sve_context *sve,
 -                                      int size)
 +                                      int size, int *svcr)
  {
 -    int i, j, vl, vq;
 +    int i, j, vl, vq, flags;
 +    bool sm;
 -    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 +    __get_user(vl, &sve->vl);
 +    __get_user(flags, &sve->flags);
 +
 +    sm = flags & TARGET_SVE_SIG_FLAG_SM;
 +
 +    /* The cpu must support Streaming or Non-streaming SVE. */
 +    if (sm
 +        ? !cpu_isar_feature(aa64_sme, env_archcpu(env))
 +        : !cpu_isar_feature(aa64_sve, env_archcpu(env))) {
          return false;
      }
--    __get_user(vl, &sve->vl);
+@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
--    vq = sve_vq(env);
+         goto gen_invep;
-+    /*
+     }
-+     * Note that we cannot use sve_vq() because that depends on the
-+     * current setting of PSTATE.SM, not the state to be restored.
+-    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
-+     */
++    if (!v7m_read_half_insn(cpu, mmu_idx, true, env->regs[15] + 2, &insn)) {
 +    vq = sve_vqm1_for_el_sm(env, 0, sm) + 1;
      /* Reject mismatched VL. */
      if (vl != vq * TARGET_SVE_VQ_BYTES) {
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
          return false;
      }
-+    *svcr = FIELD_DP64(*svcr, SVCR, SM, sm);
-+
-     /*
-      * Note that SVE regs are stored as a byte stream, with each byte element
-      * at a subsequent address.  This corresponds to a little-endian load
-@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
-     return true;
- }
-+static bool target_restore_za_record(CPUARMState *env,
-+                                     struct target_za_context *za,
-+                                     int size, int *svcr)
-+{
-+    int i, j, vl, vq;
-+
-+    if (!cpu_isar_feature(aa64_sme, env_archcpu(env))) {
-+        return false;
-+    }
-+
-+    __get_user(vl, &za->vl);
-+    vq = sme_vq(env);
-+
-+    /* Reject mismatched VL. */
-+    if (vl != vq * TARGET_SVE_VQ_BYTES) {
-+        return false;
-+    }
-+
-+    /* Accept empty record -- used to clear PSTATE.ZA. */
-+    if (size <= TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
-+        return true;
-+    }
-+
-+    /* Reject non-empty but incomplete record. */
-+    if (size < TARGET_ZA_SIG_CONTEXT_SIZE(vq)) {
-+        return false;
-+    }
-+
-+    *svcr = FIELD_DP64(*svcr, SVCR, ZA, 1);
-+
-+    for (i = 0; i < vl; ++i) {
-+        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
-+        for (j = 0; j < vq * 2; ++j) {
-+            __get_user_e(env->zarray[i].d[j], z + j, le);
-+        }
-+    }
-+    return true;
-+}
-+
- static int target_restore_sigframe(CPUARMState *env,
-                                    struct target_rt_sigframe *sf)
- {
-     struct target_aarch64_ctx *ctx, *extra = NULL;
-     struct target_fpsimd_context *fpsimd = NULL;
-     struct target_sve_context *sve = NULL;
-+    struct target_za_context *za = NULL;
-     uint64_t extra_datap = 0;
-     bool used_extra = false;
-     int sve_size = 0;
-+    int za_size = 0;
-+    int svcr = 0;
-     target_restore_general_frame(env, sf);
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
-             sve_size = size;
-             break;
-+        case TARGET_ZA_MAGIC:
-+            if (za || size < sizeof(struct target_za_context)) {
-+                goto err;
-+            }
-+            za = (struct target_za_context *)ctx;
-+            za_size = size;
-+            break;
-+
-         case TARGET_EXTRA_MAGIC:
-             if (extra || size != sizeof(struct target_extra_context)) {
-                 goto err;
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
-     }
-     /* SVE data, if present, overwrites FPSIMD data.  */
--    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
-+    if (sve && !target_restore_sve_record(env, sve, sve_size, &svcr)) {
-         goto err;
-     }
-+    if (za && !target_restore_za_record(env, za, za_size, &svcr)) {
-+        goto err;
-+    }
-+    if (env->svcr != svcr) {
-+        env->svcr = svcr;
-+        arm_rebuild_hflags(env);
-+    }
-     unlock_user(extra, extra_datap, 0);
-     return 0;
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
-         .total_size = offsetof(struct target_rt_sigframe,
-                                uc.tuc_mcontext.__reserved),
-     };
--    int fpsimd_ofs, fr_ofs, sve_ofs = 0, vq = 0, sve_size = 0;
-+    int fpsimd_ofs, fr_ofs, sve_ofs = 0, za_ofs = 0;
-+    int sve_size = 0, za_size = 0;
-     struct target_rt_sigframe *frame;
-     struct target_rt_frame_record *fr;
-     abi_ulong frame_addr, return_addr;
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
-                                       &layout);
-     /* SVE state needs saving only if it exists.  */
--    if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
--        vq = sve_vq(env);
--        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
-+    if (cpu_isar_feature(aa64_sve, env_archcpu(env)) ||
-+        cpu_isar_feature(aa64_sme, env_archcpu(env))) {
-+        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(sve_vq(env)), 16);
-         sve_ofs = alloc_sigframe_space(sve_size, &layout);
-     }
-+    if (cpu_isar_feature(aa64_sme, env_archcpu(env))) {
-+        /* ZA state needs saving only if it is enabled.  */
-+        if (FIELD_EX64(env->svcr, SVCR, ZA)) {
-+            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(sme_vq(env));
-+        } else {
-+            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(0);
-+        }
-+        za_ofs = alloc_sigframe_space(za_size, &layout);
-+    }
-     if (layout.extra_ofs) {
-         /* Reserve space for the extra end marker.  The standard end marker
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
-         target_setup_end_record((void *)frame + layout.extra_end_ofs);
-     }
-     if (sve_ofs) {
--        target_setup_sve_record((void *)frame + sve_ofs, env, vq, sve_size);
-+        target_setup_sve_record((void *)frame + sve_ofs, env, sve_size);
-+    }
-+    if (za_ofs) {
-+        target_setup_za_record((void *)frame + za_ofs, env, za_size);
-     }
-     /* Set up the stack frame for unwinding.  */
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
-         env->btype = 2;
-     }
-+    /*
-+     * Invoke the signal handler with both SM and ZA disabled.
-+     * When clearing SM, ResetSVEState, per SMSTOP.
-+     */
-+    if (FIELD_EX64(env->svcr, SVCR, SM)) {
-+        arm_reset_sve_state(env);
-+    }
-+    if (env->svcr) {
-+        env->svcr = 0;
-+        arm_rebuild_hflags(env);
-+    }
-+
-     if (info) {
-         tswap_siginfo(&frame->info, info);
-         env->xregs[1] = frame_addr + offsetof(struct target_rt_sigframe, info);
 --
 .25.1

-[PULL 03/45] target/arm: Trap non-streaming usage when Streaming SVE is active
+[PULL 11/28] target/arm: Add TBFLAG_M32.SECURE
 From: Richard Henderson <richard.henderson@linaro.org>
-This new behaviour is in the ARM pseudocode function
+Remove the use of regime_is_secure from arm_tr_init_disas_context.
-AArch64.CheckFPAdvSIMDEnabled, which applies to AArch32
+Instead, provide the value of v8m_secure directly from tb_flags.
-via AArch32.CheckAdvSIMDOrFPEnabled when the EL to which
+Rather than use regime_is_secure, use the env->v7m.secure directly,
-the trap would be delivered is in AArch64 mode.
+as per arm_mmu_idx_el.
 Given that ARMv9 drops support for AArch32 outside EL0, the trap EL
 detection ought to be trivially true, but the pseudocode still contains
 a number of conditions, and QEMU has not yet committed to dropping A32
 support for EL[12] when v9 features are present.
 Since the computation of SME_TRAP_NONSTREAMING is necessarily different
 for the two modes, we might as well preserve bits within TBFLAG_ANY and
 allocate separate bits within TBFLAG_A32 and TBFLAG_A64 instead.
 Note that DDI0616A.a has typos for bits [22:21] of LD1RO in the table
 of instructions illegal in streaming mode.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-4-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-8-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h           |  7 +++
+ target/arm/cpu.h       | 2 ++
- target/arm/translate.h     |  4 ++
+ target/arm/helper.c    | 4 ++++
- target/arm/sme-fa64.decode | 90 ++++++++++++++++++++++++++++++++++++++
+ target/arm/translate.c | 3 +--
- target/arm/helper.c        | 41 +++++++++++++++++
+files changed, 7 insertions(+), 2 deletions(-)
  target/arm/translate-a64.c | 40 ++++++++++++++++-
  target/arm/translate-vfp.c | 12 +++++
  target/arm/translate.c     |  2 +
  target/arm/meson.build     |  1 +
 files changed, 195 insertions(+), 2 deletions(-)
  create mode 100644 target/arm/sme-fa64.decode
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A32, HSTR_ACTIVE, 9, 1)
+@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_M32, NEW_FP_CTXT_NEEDED, 3, 1)     /* Not cached. */
-  * the same thing as the current security state of the processor!
+ FIELD(TBFLAG_M32, FPCCR_S_WRONG, 4, 1)          /* Not cached. */
-  */
+ /* Set if MVE insns are definitely not predicated by VPR or LTPSIZE */
- FIELD(TBFLAG_A32, NS, 10, 1)
+ FIELD(TBFLAG_M32, MVE_NO_PRED, 5, 1)            /* Not cached. */
-+/*
++/* Set if in secure mode */
-+ * Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not.
++FIELD(TBFLAG_M32, SECURE, 6, 1)
 + * This requires an SME trap from AArch32 mode when using NEON.
 + */
 +FIELD(TBFLAG_A32, SME_TRAP_NONSTREAMING, 11, 1)
  /*
-  * Bit usage when in AArch32 state, for M-profile only.
+  * Bit usage when in AArch64 state
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, SMEEXC_EL, 20, 2)
  FIELD(TBFLAG_A64, PSTATE_SM, 22, 1)
  FIELD(TBFLAG_A64, PSTATE_ZA, 23, 1)
  FIELD(TBFLAG_A64, SVL, 24, 4)
 +/* Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not. */
 +FIELD(TBFLAG_A64, SME_TRAP_NONSTREAMING, 28, 1)
  /*
   * Helpers for using the above.
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      bool pstate_sm;
      /* True if PSTATE.ZA is set. */
      bool pstate_za;
 +    /* True if non-streaming insns should raise an SME Streaming exception. */
 +    bool sme_trap_nonstreaming;
 +    /* True if the current instruction is non-streaming. */
 +    bool is_nonstreaming;
      /* True if MVE insns are definitely not predicated by VPR or LTPSIZE */
      bool mve_no_pred;
      /*
 diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@
 +# AArch64 SME allowed instruction decoding
 +#
 +#  Copyright (c) 2022 Linaro, Ltd
 +#
 +# This library is free software; you can redistribute it and/or
 +# modify it under the terms of the GNU Lesser General Public
 +# License as published by the Free Software Foundation; either
 +# version 2.1 of the License, or (at your option) any later version.
 +#
 +# This library is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# Lesser General Public License for more details.
 +#
 +# You should have received a copy of the GNU Lesser General Public
 +# License along with this library; if not, see <http://www.gnu.org/licenses/>.
 +
 +#
 +# This file is processed by scripts/decodetree.py
 +#
 +
 +# These patterns are taken from Appendix E1.1 of DDI0616 A.a,
 +# Arm Architecture Reference Manual Supplement,
 +# The Scalable Matrix Extension (SME), for Armv9-A
 +
 +{
 +  [
 +    OK  0-00 1110 0000 0001 0010 11-- ---- ----   # SMOV W|Xd,Vn.B[0]
 +    OK  0-00 1110 0000 0010 0010 11-- ---- ----   # SMOV W|Xd,Vn.H[0]
 +    OK  0100 1110 0000 0100 0010 11-- ---- ----   # SMOV Xd,Vn.S[0]
 +    OK  0000 1110 0000 0001 0011 11-- ---- ----   # UMOV Wd,Vn.B[0]
 +    OK  0000 1110 0000 0010 0011 11-- ---- ----   # UMOV Wd,Vn.H[0]
 +    OK  0000 1110 0000 0100 0011 11-- ---- ----   # UMOV Wd,Vn.S[0]
 +    OK  0100 1110 0000 1000 0011 11-- ---- ----   # UMOV Xd,Vn.D[0]
 +  ]
 +  FAIL  0--0 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD vector operations
 +}
 +
 +{
 +  [
 +    OK  0101 1110 --1- ---- 11-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar)
 +    OK  0101 1110 -10- ---- 00-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar, FP16)
 +    OK  01-1 1110 1-10 0001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar)
 +    OK  01-1 1110 1111 1001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar, FP16)
 +  ]
 +  FAIL  01-1 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD single-element operations
 +}
 +
 +FAIL    0-00 110- ---- ---- ---- ---- ---- ----   # Advanced SIMD structure load/store
 +FAIL    1100 1110 ---- ---- ---- ---- ---- ----   # Advanced SIMD cryptography extensions
 +FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 +
 +# These are the "avoidance of doubt" final table of Illegal Advanced SIMD instructions
 +# We don't actually need to include these, as the default is OK.
 +#       -001 111- ---- ---- ---- ---- ---- ----   # Scalar floating-point operations
 +#       --10 110- ---- ---- ---- ---- ---- ----   # Load/store pair of FP registers
 +#       --01 1100 ---- ---- ---- ---- ---- ----   # Load FP register (PC-relative literal)
 +#       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
 +#       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 +#       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 +
 +FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
 +FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
 +FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
 +FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
 +FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
 +FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
 +FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
 +FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 +FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
 +FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
 +FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
 +FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
 +FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
 +FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 +FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 +FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
 +FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
 +FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
 +FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
 +FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
 +FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 +FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 +FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 +FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
 +FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
 +FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
 +FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
 +FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
 +FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ int sme_exception_el(CPUARMState *env, int el)
+@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_m32(CPUARMState *env, int fp_el,
-     return 0;
+         DP_TBFLAG_M32(flags, STACKCHECK, 1);
  }
 +/* This corresponds to the ARM pseudocode function IsFullA64Enabled(). */
 +static bool sme_fa64(CPUARMState *env, int el)
 +{
 +    if (!cpu_isar_feature(aa64_sme_fa64, env_archcpu(env))) {
 +        return false;
 +    }
 +
 +    if (el <= 1 && !el_is_in_host(env, el)) {
 +        if (!FIELD_EX64(env->vfp.smcr_el[1], SMCR, FA64)) {
 +            return false;
 +        }
 +    }
 +    if (el <= 2 && arm_is_el2_enabled(env)) {
 +        if (!FIELD_EX64(env->vfp.smcr_el[2], SMCR, FA64)) {
 +            return false;
 +        }
 +    }
 +    if (arm_feature(env, ARM_FEATURE_EL3)) {
 +        if (!FIELD_EX64(env->vfp.smcr_el[3], SMCR, FA64)) {
 +            return false;
 +        }
 +    }
 +
 +    return true;
 +}
 +
  /*
   * Given that SVE is enabled, return the vector length for EL.
   */
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a32(CPUARMState *env, int fp_el,
          DP_TBFLAG_ANY(flags, PSTATE__IL, 1);
      }
-+    /*
++    if (arm_feature(env, ARM_FEATURE_M_SECURITY) && env->v7m.secure) {
-+     * The SME exception we are testing for is raised via
++        DP_TBFLAG_M32(flags, SECURE, 1);
 +     * AArch64.CheckFPAdvSIMDEnabled(), as called from
 +     * AArch32.CheckAdvSIMDOrFPEnabled().
 +     */
 +    if (el == 0
 +        && FIELD_EX64(env->svcr, SVCR, SM)
 +        && (!arm_is_el2_enabled(env)
 +            || (arm_el_is_aa64(env, 2) && !(env->cp15.hcr_el2 & HCR_TGE)))
 +        && arm_el_is_aa64(env, 1)
 +        && !sme_fa64(env, el)) {
 +        DP_TBFLAG_A32(flags, SME_TRAP_NONSTREAMING, 1);
 +    }
 +
      return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
  }
-@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
-         }
-         if (FIELD_EX64(env->svcr, SVCR, SM)) {
-             DP_TBFLAG_A64(flags, PSTATE_SM, 1);
-+            DP_TBFLAG_A64(flags, SME_TRAP_NONSTREAMING, !sme_fa64(env, el));
-         }
-         DP_TBFLAG_A64(flags, PSTATE_ZA, FIELD_EX64(env->svcr, SVCR, ZA));
-     }
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
-+++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void do_vec_ld(DisasContext *s, int destidx, int element,
-  * unallocated-encoding checks (otherwise the syndrome information
-  * for the resulting exception will be incorrect).
-  */
--static bool fp_access_check(DisasContext *s)
-+static bool fp_access_check_only(DisasContext *s)
- {
-     if (s->fp_excp_el) {
-         assert(!s->fp_access_checked);
-@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
-     return true;
- }
-+static bool fp_access_check(DisasContext *s)
-+{
-+    if (!fp_access_check_only(s)) {
-+        return false;
-+    }
-+    if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
-+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
-+                           syn_smetrap(SME_ET_Streaming, false));
-+        return false;
-+    }
-+    return true;
-+}
-+
- /* Check that SVE access is enabled.  If it is, return true.
-  * If not, emit code to generate an appropriate exception and return false.
-  */
-@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
-     default:
-         g_assert_not_reached();
-     }
--    if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
-+    if ((ri->type & ARM_CP_FPU) && !fp_access_check_only(s)) {
-         return;
-     } else if ((ri->type & ARM_CP_SVE) && !sve_access_check(s)) {
-         return;
-@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
-     }
- }
-+/*
-+ * Include the generated SME FA64 decoder.
-+ */
-+
-+#include "decode-sme-fa64.c.inc"
-+
-+static bool trans_OK(DisasContext *s, arg_OK *a)
-+{
-+    return true;
-+}
-+
-+static bool trans_FAIL(DisasContext *s, arg_OK *a)
-+{
-+    s->is_nonstreaming = true;
-+    return true;
-+}
-+
- /**
-  * is_guarded_page:
-  * @env: The cpu environment
-@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
-     dc->mte_active[1] = EX_TBFLAG_A64(tb_flags, MTE0_ACTIVE);
-     dc->pstate_sm = EX_TBFLAG_A64(tb_flags, PSTATE_SM);
-     dc->pstate_za = EX_TBFLAG_A64(tb_flags, PSTATE_ZA);
-+    dc->sme_trap_nonstreaming = EX_TBFLAG_A64(tb_flags, SME_TRAP_NONSTREAMING);
-     dc->vec_len = 0;
-     dc->vec_stride = 0;
-     dc->cp_regs = arm_cpu->cp_regs;
-@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-         }
-     }
-+    s->is_nonstreaming = false;
-+    if (s->sme_trap_nonstreaming) {
-+        disas_sme_fa64(s, insn);
-+    }
-+
-     switch (extract32(insn, 25, 4)) {
-     case 0x0:
-         if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
-diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.c
-+++ b/target/arm/translate-vfp.c
-@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
-         return false;
-     }
-+    /*
-+     * Note that rebuild_hflags_a32 has already accounted for being in EL0
-+     * and the higher EL in A64 mode, etc.  Unlike A64 mode, there do not
-+     * appear to be any insns which touch VFP which are allowed.
-+     */
-+    if (s->sme_trap_nonstreaming) {
-+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
-+                           syn_smetrap(SME_ET_Streaming,
-+                                       s->base.pc_next - s->pc_curr == 2));
-+        return false;
-+    }
-+
-     if (!s->vfp_enabled && !ignore_vfp_enabled) {
-         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-         unallocated_encoding(s);
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
 @@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
-             dc->vec_len = EX_TBFLAG_A32(tb_flags, VECLEN);
+         dc->vfp_enabled = 1;
-             dc->vec_stride = EX_TBFLAG_A32(tb_flags, VECSTRIDE);
+         dc->be_data = MO_TE;
-         }
+         dc->v7m_handler_mode = EX_TBFLAG_M32(tb_flags, HANDLER);
-+        dc->sme_trap_nonstreaming =
+-        dc->v8m_secure = arm_feature(env, ARM_FEATURE_M_SECURITY) &&
-+            EX_TBFLAG_A32(tb_flags, SME_TRAP_NONSTREAMING);
+-            regime_is_secure(env, dc->mmu_idx);
-     }
++        dc->v8m_secure = EX_TBFLAG_M32(tb_flags, SECURE);
-     dc->cp_regs = cpu->cp_regs;
+         dc->v8m_stackcheck = EX_TBFLAG_M32(tb_flags, STACKCHECK);
-     dc->features = env->features;
+         dc->v8m_fpccr_s_wrong = EX_TBFLAG_M32(tb_flags, FPCCR_S_WRONG);
-diff --git a/target/arm/meson.build b/target/arm/meson.build
+         dc->v7m_new_fp_ctxt_needed =
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/meson.build
 +++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@
  gen = [
    decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
    decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
 +  decodetree.process('sme-fa64.decode', extra_args: '--static-decode=disas_sme_fa64'),
    decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
    decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
    decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
 --
 .25.1

-[PULL 39/45] linux-user/aarch64: Move sve record checks into restore
+[PULL 12/28] target/arm: Merge regime_is_secure into get_phys_addr
 From: Richard Henderson <richard.henderson@linaro.org>
-Move the checks out of the parsing loop and into the
+This is the last use of regime_is_secure; remove it
-restore function.  This more closely mirrors the code
+entirely before changing the layout of ARMMMUIdx.
 structure in the kernel, and is slightly clearer.
 Reject rather than silently skip incorrect VL and SVE record sizes,
 bringing our checks in to line with those the kernel does.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-40-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-9-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/signal.c | 51 +++++++++++++++++++++++++------------
+ target/arm/internals.h | 42 ----------------------------------------
-file changed, 35 insertions(+), 16 deletions(-)
+ target/arm/ptw.c       | 44 ++++++++++++++++++++++++++++++++++++++++--
 files changed, 42 insertions(+), 44 deletions(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/arm/internals.h
-+++ b/linux-user/aarch64/signal.c
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static inline bool regime_has_2_ranges(ARMMMUIdx mmu_idx)
      }
  }
--static void target_restore_sve_record(CPUARMState *env,
+-/* Return true if this address translation regime is secure */
--                                      struct target_sve_context *sve, int vq)
+-static inline bool regime_is_secure(CPUARMState *env, ARMMMUIdx mmu_idx)
-+static bool target_restore_sve_record(CPUARMState *env,
+-{
-+                                      struct target_sve_context *sve,
+-    switch (mmu_idx) {
-+                                      int size)
+-    case ARMMMUIdx_E10_0:
 -    case ARMMMUIdx_E10_1:
 -    case ARMMMUIdx_E10_1_PAN:
 -    case ARMMMUIdx_E20_0:
 -    case ARMMMUIdx_E20_2:
 -    case ARMMMUIdx_E20_2_PAN:
 -    case ARMMMUIdx_Stage1_E0:
 -    case ARMMMUIdx_Stage1_E1:
 -    case ARMMMUIdx_Stage1_E1_PAN:
 -    case ARMMMUIdx_E2:
 -    case ARMMMUIdx_Stage2:
 -    case ARMMMUIdx_MPrivNegPri:
 -    case ARMMMUIdx_MUserNegPri:
 -    case ARMMMUIdx_MPriv:
 -    case ARMMMUIdx_MUser:
 -        return false;
 -    case ARMMMUIdx_SE3:
 -    case ARMMMUIdx_SE10_0:
 -    case ARMMMUIdx_SE10_1:
 -    case ARMMMUIdx_SE10_1_PAN:
 -    case ARMMMUIdx_SE20_0:
 -    case ARMMMUIdx_SE20_2:
 -    case ARMMMUIdx_SE20_2_PAN:
 -    case ARMMMUIdx_Stage1_SE0:
 -    case ARMMMUIdx_Stage1_SE1:
 -    case ARMMMUIdx_Stage1_SE1_PAN:
 -    case ARMMMUIdx_SE2:
 -    case ARMMMUIdx_Stage2_S:
 -    case ARMMMUIdx_MSPrivNegPri:
 -    case ARMMMUIdx_MSUserNegPri:
 -    case ARMMMUIdx_MSPriv:
 -    case ARMMMUIdx_MSUser:
 -        return true;
 -    default:
 -        g_assert_not_reached();
 -    }
 -}
 -
  static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
  {
--    int i, j;
+     switch (mmu_idx) {
-+    int i, j, vl, vq;
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
--    /* Note that SVE regs are stored as a byte stream, with each byte element
+--- a/target/arm/ptw.c
-+    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
++++ b/target/arm/ptw.c
-+        return false;
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
                     MMUAccessType access_type, ARMMMUIdx mmu_idx,
                     GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
  {
 +    bool is_secure;
 +
 +    switch (mmu_idx) {
 +    case ARMMMUIdx_E10_0:
 +    case ARMMMUIdx_E10_1:
 +    case ARMMMUIdx_E10_1_PAN:
 +    case ARMMMUIdx_E20_0:
 +    case ARMMMUIdx_E20_2:
 +    case ARMMMUIdx_E20_2_PAN:
 +    case ARMMMUIdx_Stage1_E0:
 +    case ARMMMUIdx_Stage1_E1:
 +    case ARMMMUIdx_Stage1_E1_PAN:
 +    case ARMMMUIdx_E2:
 +    case ARMMMUIdx_Stage2:
 +    case ARMMMUIdx_MPrivNegPri:
 +    case ARMMMUIdx_MUserNegPri:
 +    case ARMMMUIdx_MPriv:
 +    case ARMMMUIdx_MUser:
 +        is_secure = false;
 +        break;
 +    case ARMMMUIdx_SE3:
 +    case ARMMMUIdx_SE10_0:
 +    case ARMMMUIdx_SE10_1:
 +    case ARMMMUIdx_SE10_1_PAN:
 +    case ARMMMUIdx_SE20_0:
 +    case ARMMMUIdx_SE20_2:
 +    case ARMMMUIdx_SE20_2_PAN:
 +    case ARMMMUIdx_Stage1_SE0:
 +    case ARMMMUIdx_Stage1_SE1:
 +    case ARMMMUIdx_Stage1_SE1_PAN:
 +    case ARMMMUIdx_SE2:
 +    case ARMMMUIdx_Stage2_S:
 +    case ARMMMUIdx_MSPrivNegPri:
 +    case ARMMMUIdx_MSUserNegPri:
 +    case ARMMMUIdx_MSPriv:
 +    case ARMMMUIdx_MSUser:
 +        is_secure = true;
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
-+
+     return get_phys_addr_with_secure(env, address, access_type, mmu_idx,
-+    __get_user(vl, &sve->vl);
+-                                     regime_is_secure(env, mmu_idx),
-+    vq = sve_vq(env);
+-                                     result, fi);
-+
++                                     is_secure, result, fi);
 +    /* Reject mismatched VL. */
 +    if (vl != vq * TARGET_SVE_VQ_BYTES) {
 +        return false;
 +    }
 +
 +    /* Accept empty record -- used to clear PSTATE.SM. */
 +    if (size <= sizeof(*sve)) {
 +        return true;
 +    }
 +
 +    /* Reject non-empty but incomplete record. */
 +    if (size < TARGET_SVE_SIG_CONTEXT_SIZE(vq)) {
 +        return false;
 +    }
 +
 +    /*
 +     * Note that SVE regs are stored as a byte stream, with each byte element
       * at a subsequent address.  This corresponds to a little-endian load
       * of our 64-bit hunks.
       */
@@ -XXX,XX +XXX,XX @@ static void target_restore_sve_record(CPUARMState *env,
              }
          }
      }
 +    return true;
  }
- static int target_restore_sigframe(CPUARMState *env,
+ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      struct target_sve_context *sve = NULL;
      uint64_t extra_datap = 0;
      bool used_extra = false;
 -    int vq = 0, sve_size = 0;
 +    int sve_size = 0;
      target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
              if (sve || size < sizeof(struct target_sve_context)) {
                  goto err;
              }
 -            if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 -                vq = sve_vq(env);
 -                sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 -                if (size == sve_size) {
 -                    sve = (struct target_sve_context *)ctx;
 -                    break;
 -                }
 -            }
 -            goto err;
 +            sve = (struct target_sve_context *)ctx;
 +            sve_size = size;
 +            break;
          case TARGET_EXTRA_MAGIC:
              if (extra || size != sizeof(struct target_extra_context)) {
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      }
      /* SVE data, if present, overwrites FPSIMD data.  */
 -    if (sve) {
 -        target_restore_sve_record(env, sve, vq);
 +    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
 +        goto err;
      }
      unlock_user(extra, extra_datap, 0);
      return 0;
 --
 .25.1

-[PULL 31/45] target/arm: Reset streaming sve state on exception boundaries
+[PULL 13/28] target/arm: Add is_secure parameter to do_ats_write
 From: Richard Henderson <richard.henderson@linaro.org>
-We can handle both exception entry and exception return by
+Use get_phys_addr_with_secure directly.  For a-profile, this is the
-hooking into aarch64_sve_change_el.
+one place where the value of is_secure may not equal arm_is_secure(env).
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-32-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-10-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 15 +++++++++++++--
+ target/arm/helper.c | 19 ++++++++++++++-----
-file changed, 13 insertions(+), 2 deletions(-)
+file changed, 14 insertions(+), 5 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
+@@ -XXX,XX +XXX,XX @@ static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri,
-         return;
  #ifdef CONFIG_TCG
  static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
 -                             MMUAccessType access_type, ARMMMUIdx mmu_idx)
 +                             MMUAccessType access_type, ARMMMUIdx mmu_idx,
 +                             bool is_secure)
  {
      bool ret;
      uint64_t par64;
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
      ARMMMUFaultInfo fi = {};
      GetPhysAddrResult res = {};
 -    ret = get_phys_addr(env, value, access_type, mmu_idx, &res, &fi);
 +    ret = get_phys_addr_with_secure(env, value, access_type, mmu_idx,
 +                                    is_secure, &res, &fi);
      /*
       * ATS operations only do S1 or S1+S2 translations, so we never
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
          switch (el) {
          case 3:
              mmu_idx = ARMMMUIdx_SE3;
 +            secure = true;
              break;
          case 2:
              g_assert(!secure);  /* ARMv8.4-SecEL2 is 64-bit only */
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
          switch (el) {
          case 3:
              mmu_idx = ARMMMUIdx_SE10_0;
 +            secure = true;
              break;
          case 2:
              g_assert(!secure);  /* ARMv8.4-SecEL2 is 64-bit only */
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
      case 4:
          /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */
          mmu_idx = ARMMMUIdx_E10_1;
 +        secure = false;
          break;
      case 6:
          /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */
          mmu_idx = ARMMMUIdx_E10_0;
 +        secure = false;
          break;
      default:
          g_assert_not_reached();
      }
-+    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
+-    par64 = do_ats_write(env, value, access_type, mmu_idx);
-+    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
++    par64 = do_ats_write(env, value, access_type, mmu_idx, secure);
-+
-+    /*
+     A32_BANKED_CURRENT_REG_SET(env, par, par64);
-+     * Both AArch64.TakeException and AArch64.ExceptionReturn
+ #else
-+     * invoke ResetSVEState when taking an exception from, or
+@@ -XXX,XX +XXX,XX @@ static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+     * returning to, AArch32 state when PSTATE.SM is enabled.
+     MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD;
-+     */
+     uint64_t par64;
-+    if (old_a64 != new_a64 && FIELD_EX64(env->svcr, SVCR, SM)) {
-+        arm_reset_sve_state(env);
+-    par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2);
-+        return;
++    /* There is no SecureEL2 for AArch32. */
-+    }
++    par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2, false);
-+
-     /*
+     A32_BANKED_CURRENT_REG_SET(env, par, par64);
-      * DDI0584A.d sec 3.2: "If SVE instructions are disabled or trapped
+ #else
-      * at ELx, or not available because the EL is in AArch32 state, then
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
+             break;
-      * we already have the correct register contents when encountering the
+         case 6: /* AT S1E3R, AT S1E3W */
-      * vq0->vq0 transition between EL0->EL1.
+             mmu_idx = ARMMMUIdx_SE3;
-      */
++            secure = true;
--    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
+             break;
-     old_len = (old_a64 && !sve_exception_el(env, old_el)
+         default:
-                ? sve_vqm1_for_el(env, old_el) : 0);
+             g_assert_not_reached();
--    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-     new_len = (new_a64 && !sve_exception_el(env, new_el)
+         g_assert_not_reached();
-                ? sve_vqm1_for_el(env, new_el) : 0);
+     }
 -    env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx);
 +    env->cp15.par_el[1] = do_ats_write(env, value, access_type,
 +                                       mmu_idx, secure);
  #else
      /* Handled by hardware accelerator. */
      g_assert_not_reached();
 --
 .25.1

-[PULL 16/45] target/arm: Handle SME in sve_access_check
+[PULL 14/28] target/arm: Fold secure and non-secure a-profile mmu indexes
 From: Richard Henderson <richard.henderson@linaro.org>
-The pseudocode for CheckSVEEnabled gains a check for Streaming
+For a-profile aarch64, which does not bank system registers, it takes
-SVE mode, and for SME present but SVE absent.
+quite a lot of code to switch between security states.  In the process,
 registers such as TCR_EL{1,2} must be swapped, which in itself requires
 the flushing of softmmu tlbs.  Therefore it doesn't buy us anything to
 separate tlbs by security state.
 Retain the distinction between Stage2 and Stage2_S.
 This will be important as we implement FEAT_RME, and do not wish to
 add a third set of mmu indexes for Realm state.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-17-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-11-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 22 ++++++++++++++++------
+ target/arm/cpu-param.h     |   2 +-
-file changed, 16 insertions(+), 6 deletions(-)
+ target/arm/cpu.h           |  72 +++++++------------
  target/arm/internals.h     |  31 +-------
  target/arm/helper.c        | 144 +++++++++++++------------------------
  target/arm/ptw.c           |  25 ++-----
  target/arm/translate-a64.c |   8 ---
  target/arm/translate.c     |   6 +-
 files changed, 85 insertions(+), 203 deletions(-)
+diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu-param.h
++++ b/target/arm/cpu-param.h
+@@ -XXX,XX +XXX,XX @@
+ # define TARGET_PAGE_BITS_MIN  10
+ #endif
+-#define NB_MMU_MODES 15
++#define NB_MMU_MODES 8
+ #endif
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.h
++++ b/target/arm/cpu.h
+@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
+  *     table over and over.
+  *  6. we need separate EL1/EL2 mmu_idx for handling the Privileged Access
+  *     Never (PAN) bit within PSTATE.
++ *  7. we fold together the secure and non-secure regimes for A-profile,
++ *     because there are no banked system registers for aarch64, so the
++ *     process of switching between secure and non-secure is
++ *     already heavyweight.
+  *
+  * This gives us the following list of cases:
+  *
+- * NS EL0 EL1&0 stage 1+2 (aka NS PL0)
+- * NS EL1 EL1&0 stage 1+2 (aka NS PL1)
+- * NS EL1 EL1&0 stage 1+2 +PAN
+- * NS EL0 EL2&0
+- * NS EL2 EL2&0
+- * NS EL2 EL2&0 +PAN
+- * NS EL2 (aka NS PL2)
+- * S EL0 EL1&0 (aka S PL0)
+- * S EL1 EL1&0 (not used if EL3 is 32 bit)
+- * S EL1 EL1&0 +PAN
+- * S EL3 (aka S PL1)
++ * EL0 EL1&0 stage 1+2 (aka NS PL0)
++ * EL1 EL1&0 stage 1+2 (aka NS PL1)
++ * EL1 EL1&0 stage 1+2 +PAN
++ * EL0 EL2&0
++ * EL2 EL2&0
++ * EL2 EL2&0 +PAN
++ * EL2 (aka NS PL2)
++ * EL3 (aka S PL1)
+  *
+- * for a total of 11 different mmu_idx.
++ * for a total of 8 different mmu_idx.
+  *
+  * R profile CPUs have an MPU, but can use the same set of MMU indexes
+- * as A profile. They only need to distinguish NS EL0 and NS EL1 (and
+- * NS EL2 if we ever model a Cortex-R52).
++ * as A profile. They only need to distinguish EL0 and EL1 (and
++ * EL2 if we ever model a Cortex-R52).
+  *
+  * M profile CPUs are rather different as they do not have a true MMU.
+  * They have the following different MMU indexes:
+@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
+ #define ARM_MMU_IDX_NOTLB 0x20  /* does not have a TLB */
+ #define ARM_MMU_IDX_M     0x40  /* M profile */
+-/* Meanings of the bits for A profile mmu idx values */
+-#define ARM_MMU_IDX_A_NS     0x8
+-
+ /* Meanings of the bits for M profile mmu idx values */
+ #define ARM_MMU_IDX_M_PRIV   0x1
+ #define ARM_MMU_IDX_M_NEGPRI 0x2
+@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
+     /*
+      * A-profile.
+      */
+-    ARMMMUIdx_SE10_0     =  0 | ARM_MMU_IDX_A,
+-    ARMMMUIdx_SE20_0     =  1 | ARM_MMU_IDX_A,
+-    ARMMMUIdx_SE10_1     =  2 | ARM_MMU_IDX_A,
+-    ARMMMUIdx_SE20_2     =  3 | ARM_MMU_IDX_A,
+-    ARMMMUIdx_SE10_1_PAN =  4 | ARM_MMU_IDX_A,
+-    ARMMMUIdx_SE20_2_PAN =  5 | ARM_MMU_IDX_A,
+-    ARMMMUIdx_SE2        =  6 | ARM_MMU_IDX_A,
+-    ARMMMUIdx_SE3        =  7 | ARM_MMU_IDX_A,
+-
+-    ARMMMUIdx_E10_0     = ARMMMUIdx_SE10_0 | ARM_MMU_IDX_A_NS,
+-    ARMMMUIdx_E20_0     = ARMMMUIdx_SE20_0 | ARM_MMU_IDX_A_NS,
+-    ARMMMUIdx_E10_1     = ARMMMUIdx_SE10_1 | ARM_MMU_IDX_A_NS,
+-    ARMMMUIdx_E20_2     = ARMMMUIdx_SE20_2 | ARM_MMU_IDX_A_NS,
+-    ARMMMUIdx_E10_1_PAN = ARMMMUIdx_SE10_1_PAN | ARM_MMU_IDX_A_NS,
+-    ARMMMUIdx_E20_2_PAN = ARMMMUIdx_SE20_2_PAN | ARM_MMU_IDX_A_NS,
+-    ARMMMUIdx_E2        = ARMMMUIdx_SE2 | ARM_MMU_IDX_A_NS,
++    ARMMMUIdx_E10_0     = 0 | ARM_MMU_IDX_A,
++    ARMMMUIdx_E20_0     = 1 | ARM_MMU_IDX_A,
++    ARMMMUIdx_E10_1     = 2 | ARM_MMU_IDX_A,
++    ARMMMUIdx_E20_2     = 3 | ARM_MMU_IDX_A,
++    ARMMMUIdx_E10_1_PAN = 4 | ARM_MMU_IDX_A,
++    ARMMMUIdx_E20_2_PAN = 5 | ARM_MMU_IDX_A,
++    ARMMMUIdx_E2        = 6 | ARM_MMU_IDX_A,
++    ARMMMUIdx_E3        = 7 | ARM_MMU_IDX_A,
+     /*
+      * These are not allocated TLBs and are used only for AT system
+@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
+     ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB,
+     ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB,
+     ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB,
+-    ARMMMUIdx_Stage1_SE0 = 3 | ARM_MMU_IDX_NOTLB,
+-    ARMMMUIdx_Stage1_SE1 = 4 | ARM_MMU_IDX_NOTLB,
+-    ARMMMUIdx_Stage1_SE1_PAN = 5 | ARM_MMU_IDX_NOTLB,
+     /*
+      * Not allocated a TLB: used only for second stage of an S12 page
+      * table walk, or for descriptor loads during first stage of an S1
+@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
+      * then various TLB flush insns which currently are no-ops or flush
+      * only stage 1 MMU indexes will need to change to flush stage 2.
+      */
+-    ARMMMUIdx_Stage2     = 6 | ARM_MMU_IDX_NOTLB,
+-    ARMMMUIdx_Stage2_S   = 7 | ARM_MMU_IDX_NOTLB,
++    ARMMMUIdx_Stage2     = 3 | ARM_MMU_IDX_NOTLB,
++    ARMMMUIdx_Stage2_S   = 4 | ARM_MMU_IDX_NOTLB,
+     /*
+      * M-profile.
+@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdxBit {
+     TO_CORE_BIT(E2),
+     TO_CORE_BIT(E20_2),
+     TO_CORE_BIT(E20_2_PAN),
+-    TO_CORE_BIT(SE10_0),
+-    TO_CORE_BIT(SE20_0),
+-    TO_CORE_BIT(SE10_1),
+-    TO_CORE_BIT(SE20_2),
+-    TO_CORE_BIT(SE10_1_PAN),
+-    TO_CORE_BIT(SE20_2_PAN),
+-    TO_CORE_BIT(SE2),
+-    TO_CORE_BIT(SE3),
++    TO_CORE_BIT(E3),
+     TO_CORE_BIT(MUser),
+     TO_CORE_BIT(MPriv),
+diff --git a/target/arm/internals.h b/target/arm/internals.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/internals.h
++++ b/target/arm/internals.h
+@@ -XXX,XX +XXX,XX @@ static inline bool regime_has_2_ranges(ARMMMUIdx mmu_idx)
+     case ARMMMUIdx_Stage1_E0:
+     case ARMMMUIdx_Stage1_E1:
+     case ARMMMUIdx_Stage1_E1_PAN:
+-    case ARMMMUIdx_Stage1_SE0:
+-    case ARMMMUIdx_Stage1_SE1:
+-    case ARMMMUIdx_Stage1_SE1_PAN:
+     case ARMMMUIdx_E10_0:
+     case ARMMMUIdx_E10_1:
+     case ARMMMUIdx_E10_1_PAN:
+     case ARMMMUIdx_E20_0:
+     case ARMMMUIdx_E20_2:
+     case ARMMMUIdx_E20_2_PAN:
+-    case ARMMMUIdx_SE10_0:
+-    case ARMMMUIdx_SE10_1:
+-    case ARMMMUIdx_SE10_1_PAN:
+-    case ARMMMUIdx_SE20_0:
+-    case ARMMMUIdx_SE20_2:
+-    case ARMMMUIdx_SE20_2_PAN:
+         return true;
+     default:
+         return false;
+@@ -XXX,XX +XXX,XX @@ static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
+ {
+     switch (mmu_idx) {
+     case ARMMMUIdx_Stage1_E1_PAN:
+-    case ARMMMUIdx_Stage1_SE1_PAN:
+     case ARMMMUIdx_E10_1_PAN:
+     case ARMMMUIdx_E20_2_PAN:
+-    case ARMMMUIdx_SE10_1_PAN:
+-    case ARMMMUIdx_SE20_2_PAN:
+         return true;
+     default:
+         return false;
+@@ -XXX,XX +XXX,XX @@ static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
+ static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
+ {
+     switch (mmu_idx) {
+-    case ARMMMUIdx_SE20_0:
+-    case ARMMMUIdx_SE20_2:
+-    case ARMMMUIdx_SE20_2_PAN:
+     case ARMMMUIdx_E20_0:
+     case ARMMMUIdx_E20_2:
+     case ARMMMUIdx_E20_2_PAN:
+     case ARMMMUIdx_Stage2:
+     case ARMMMUIdx_Stage2_S:
+-    case ARMMMUIdx_SE2:
+     case ARMMMUIdx_E2:
+         return 2;
+-    case ARMMMUIdx_SE3:
++    case ARMMMUIdx_E3:
+         return 3;
+-    case ARMMMUIdx_SE10_0:
+-    case ARMMMUIdx_Stage1_SE0:
+-        return arm_el_is_aa64(env, 3) ? 1 : 3;
+-    case ARMMMUIdx_SE10_1:
+-    case ARMMMUIdx_SE10_1_PAN:
++    case ARMMMUIdx_E10_0:
+     case ARMMMUIdx_Stage1_E0:
++        return arm_el_is_aa64(env, 3) || !arm_is_secure_below_el3(env) ? 1 : 3;
+     case ARMMMUIdx_Stage1_E1:
+     case ARMMMUIdx_Stage1_E1_PAN:
+-    case ARMMMUIdx_Stage1_SE1:
+-    case ARMMMUIdx_Stage1_SE1_PAN:
+-    case ARMMMUIdx_E10_0:
+     case ARMMMUIdx_E10_1:
+     case ARMMMUIdx_E10_1_PAN:
+     case ARMMMUIdx_MPrivNegPri:
+@@ -XXX,XX +XXX,XX @@ static inline bool arm_mmu_idx_is_stage1_of_2(ARMMMUIdx mmu_idx)
+     case ARMMMUIdx_Stage1_E0:
+     case ARMMMUIdx_Stage1_E1:
+     case ARMMMUIdx_Stage1_E1_PAN:
+-    case ARMMMUIdx_Stage1_SE0:
+-    case ARMMMUIdx_Stage1_SE1:
+-    case ARMMMUIdx_Stage1_SE1_PAN:
+         return true;
+     default:
+         return false;
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+     /* Begin with base v8.0 state.  */
+     uint64_t valid_mask = 0x3fff;
+     ARMCPU *cpu = env_archcpu(env);
++    uint64_t changed;
+     /*
+      * Because SCR_EL3 is the "real" cpreg and SCR is the alias, reset always
+@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+     /* Clear all-context RES0 bits.  */
+     value &= valid_mask;
+-    raw_write(env, ri, value);
++    changed = env->cp15.scr_el3 ^ value;
++    env->cp15.scr_el3 = value;
++
++    /*
++     * If SCR_EL3.NS changes, i.e. arm_is_secure_below_el3, then
++     * we must invalidate all TLBs below EL3.
++     */
++    if (changed & SCR_NS) {
++        tlb_flush_by_mmuidx(env_cpu(env), (ARMMMUIdxBit_E10_0 |
++                                           ARMMMUIdxBit_E20_0 |
++                                           ARMMMUIdxBit_E10_1 |
++                                           ARMMMUIdxBit_E20_2 |
++                                           ARMMMUIdxBit_E10_1_PAN |
++                                           ARMMMUIdxBit_E20_2_PAN |
++                                           ARMMMUIdxBit_E2));
++    }
+ }
+ static void scr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+@@ -XXX,XX +XXX,XX @@ static int gt_phys_redir_timeridx(CPUARMState *env)
+     case ARMMMUIdx_E20_0:
+     case ARMMMUIdx_E20_2:
+     case ARMMMUIdx_E20_2_PAN:
+-    case ARMMMUIdx_SE20_0:
+-    case ARMMMUIdx_SE20_2:
+-    case ARMMMUIdx_SE20_2_PAN:
+         return GTIMER_HYP;
+     default:
+         return GTIMER_PHYS;
+@@ -XXX,XX +XXX,XX @@ static int gt_virt_redir_timeridx(CPUARMState *env)
+     case ARMMMUIdx_E20_0:
+     case ARMMMUIdx_E20_2:
+     case ARMMMUIdx_E20_2_PAN:
+-    case ARMMMUIdx_SE20_0:
+-    case ARMMMUIdx_SE20_2:
+-    case ARMMMUIdx_SE20_2_PAN:
+         return GTIMER_HYPVIRT;
+     default:
+         return GTIMER_VIRT;
+@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+         /* stage 1 current state PL1: ATS1CPR, ATS1CPW, ATS1CPRP, ATS1CPWP */
+         switch (el) {
+         case 3:
+-            mmu_idx = ARMMMUIdx_SE3;
++            mmu_idx = ARMMMUIdx_E3;
+             secure = true;
+             break;
+         case 2:
+@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+             /* fall through */
+         case 1:
+             if (ri->crm == 9 && (env->uncached_cpsr & CPSR_PAN)) {
+-                mmu_idx = (secure ? ARMMMUIdx_Stage1_SE1_PAN
+-                           : ARMMMUIdx_Stage1_E1_PAN);
++                mmu_idx = ARMMMUIdx_Stage1_E1_PAN;
+             } else {
+-                mmu_idx = secure ? ARMMMUIdx_Stage1_SE1 : ARMMMUIdx_Stage1_E1;
++                mmu_idx = ARMMMUIdx_Stage1_E1;
+             }
+             break;
+         default:
+@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+         /* stage 1 current state PL0: ATS1CUR, ATS1CUW */
+         switch (el) {
+         case 3:
+-            mmu_idx = ARMMMUIdx_SE10_0;
++            mmu_idx = ARMMMUIdx_E10_0;
+             secure = true;
+             break;
+         case 2:
+@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+             mmu_idx = ARMMMUIdx_Stage1_E0;
+             break;
+         case 1:
+-            mmu_idx = secure ? ARMMMUIdx_Stage1_SE0 : ARMMMUIdx_Stage1_E0;
++            mmu_idx = ARMMMUIdx_Stage1_E0;
+             break;
+         default:
+             g_assert_not_reached();
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
+         switch (ri->opc1) {
+         case 0: /* AT S1E1R, AT S1E1W, AT S1E1RP, AT S1E1WP */
+             if (ri->crm == 9 && (env->pstate & PSTATE_PAN)) {
+-                mmu_idx = (secure ? ARMMMUIdx_Stage1_SE1_PAN
+-                           : ARMMMUIdx_Stage1_E1_PAN);
++                mmu_idx = ARMMMUIdx_Stage1_E1_PAN;
+             } else {
+-                mmu_idx = secure ? ARMMMUIdx_Stage1_SE1 : ARMMMUIdx_Stage1_E1;
++                mmu_idx = ARMMMUIdx_Stage1_E1;
+             }
+             break;
+         case 4: /* AT S1E2R, AT S1E2W */
+-            mmu_idx = secure ? ARMMMUIdx_SE2 : ARMMMUIdx_E2;
++            mmu_idx = ARMMMUIdx_E2;
+             break;
+         case 6: /* AT S1E3R, AT S1E3W */
+-            mmu_idx = ARMMMUIdx_SE3;
++            mmu_idx = ARMMMUIdx_E3;
+             secure = true;
+             break;
+         default:
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
+         }
+         break;
+     case 2: /* AT S1E0R, AT S1E0W */
+-        mmu_idx = secure ? ARMMMUIdx_Stage1_SE0 : ARMMMUIdx_Stage1_E0;
++        mmu_idx = ARMMMUIdx_Stage1_E0;
+         break;
+     case 4: /* AT S12E1R, AT S12E1W */
+-        mmu_idx = secure ? ARMMMUIdx_SE10_1 : ARMMMUIdx_E10_1;
++        mmu_idx = ARMMMUIdx_E10_1;
+         break;
+     case 6: /* AT S12E0R, AT S12E0W */
+-        mmu_idx = secure ? ARMMMUIdx_SE10_0 : ARMMMUIdx_E10_0;
++        mmu_idx = ARMMMUIdx_E10_0;
+         break;
+     default:
+         g_assert_not_reached();
+@@ -XXX,XX +XXX,XX @@ static void vmsa_tcr_ttbr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,
+         uint16_t mask = ARMMMUIdxBit_E20_2 |
+                         ARMMMUIdxBit_E20_2_PAN |
+                         ARMMMUIdxBit_E20_0;
+-
+-        if (arm_is_secure_below_el3(env)) {
+-            mask >>= ARM_MMU_IDX_A_NS;
+-        }
+-
+         tlb_flush_by_mmuidx(env_cpu(env), mask);
+     }
+     raw_write(env, ri, value);
+@@ -XXX,XX +XXX,XX @@ static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+         uint16_t mask = ARMMMUIdxBit_E10_1 |
+                         ARMMMUIdxBit_E10_1_PAN |
+                         ARMMMUIdxBit_E10_0;
+-
+-        if (arm_is_secure_below_el3(env)) {
+-            mask >>= ARM_MMU_IDX_A_NS;
+-        }
+-
+         tlb_flush_by_mmuidx(cs, mask);
+         raw_write(env, ri, value);
+     }
+@@ -XXX,XX +XXX,XX @@ static int vae1_tlbmask(CPUARMState *env)
+                ARMMMUIdxBit_E10_1_PAN |
+                ARMMMUIdxBit_E10_0;
+     }
+-
+-    if (arm_is_secure_below_el3(env)) {
+-        mask >>= ARM_MMU_IDX_A_NS;
+-    }
+-
+     return mask;
+ }
+@@ -XXX,XX +XXX,XX @@ static int vae1_tlbbits(CPUARMState *env, uint64_t addr)
+         mmu_idx = ARMMMUIdx_E10_0;
+     }
+-    if (arm_is_secure_below_el3(env)) {
+-        mmu_idx &= ~ARM_MMU_IDX_A_NS;
+-    }
+-
+     return tlbbits_for_regime(env, mmu_idx, addr);
+ }
+@@ -XXX,XX +XXX,XX @@ static int alle1_tlbmask(CPUARMState *env)
+      * stage 2 translations, whereas most other scopes only invalidate
+      * stage 1 translations.
+      */
+-    if (arm_is_secure_below_el3(env)) {
+-        return ARMMMUIdxBit_SE10_1 |
+-               ARMMMUIdxBit_SE10_1_PAN |
+-               ARMMMUIdxBit_SE10_0;
+-    } else {
+-        return ARMMMUIdxBit_E10_1 |
+-               ARMMMUIdxBit_E10_1_PAN |
+-               ARMMMUIdxBit_E10_0;
+-    }
++    return (ARMMMUIdxBit_E10_1 |
++            ARMMMUIdxBit_E10_1_PAN |
++            ARMMMUIdxBit_E10_0);
+ }
+ static int e2_tlbmask(CPUARMState *env)
+ {
+-    if (arm_is_secure_below_el3(env)) {
+-        return ARMMMUIdxBit_SE20_0 |
+-               ARMMMUIdxBit_SE20_2 |
+-               ARMMMUIdxBit_SE20_2_PAN |
+-               ARMMMUIdxBit_SE2;
+-    } else {
+-        return ARMMMUIdxBit_E20_0 |
+-               ARMMMUIdxBit_E20_2 |
+-               ARMMMUIdxBit_E20_2_PAN |
+-               ARMMMUIdxBit_E2;
+-    }
++    return (ARMMMUIdxBit_E20_0 |
++            ARMMMUIdxBit_E20_2 |
++            ARMMMUIdxBit_E20_2_PAN |
++            ARMMMUIdxBit_E2);
+ }
+ static void tlbi_aa64_alle1_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_alle3_write(CPUARMState *env, const ARMCPRegInfo *ri,
+     ARMCPU *cpu = env_archcpu(env);
+     CPUState *cs = CPU(cpu);
+-    tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_SE3);
++    tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_E3);
+ }
+ static void tlbi_aa64_alle1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_alle3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ {
+     CPUState *cs = env_cpu(env);
+-    tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_SE3);
++    tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_E3);
+ }
+ static void tlbi_aa64_vae2_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae3_write(CPUARMState *env, const ARMCPRegInfo *ri,
+     CPUState *cs = CPU(cpu);
+     uint64_t pageaddr = sextract64(value << 12, 0, 56);
+-    tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_SE3);
++    tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_E3);
+ }
+ static void tlbi_aa64_vae1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae2is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ {
+     CPUState *cs = env_cpu(env);
+     uint64_t pageaddr = sextract64(value << 12, 0, 56);
+-    bool secure = arm_is_secure_below_el3(env);
+-    int mask = secure ? ARMMMUIdxBit_SE2 : ARMMMUIdxBit_E2;
+-    int bits = tlbbits_for_regime(env, secure ? ARMMMUIdx_SE2 : ARMMMUIdx_E2,
+-                                  pageaddr);
++    int bits = tlbbits_for_regime(env, ARMMMUIdx_E2, pageaddr);
+-    tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, mask, bits);
++    tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr,
++                                                  ARMMMUIdxBit_E2, bits);
+ }
+ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ {
+     CPUState *cs = env_cpu(env);
+     uint64_t pageaddr = sextract64(value << 12, 0, 56);
+-    int bits = tlbbits_for_regime(env, ARMMMUIdx_SE3, pageaddr);
++    int bits = tlbbits_for_regime(env, ARMMMUIdx_E3, pageaddr);
+     tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr,
+-                                                  ARMMMUIdxBit_SE3, bits);
++                                                  ARMMMUIdxBit_E3, bits);
+ }
+ #ifdef TARGET_AARCH64
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae1is_write(CPUARMState *env,
+ static int vae2_tlbmask(CPUARMState *env)
+ {
+-    return (arm_is_secure_below_el3(env)
+-            ? ARMMMUIdxBit_SE2 : ARMMMUIdxBit_E2);
++    return ARMMMUIdxBit_E2;
+ }
+ static void tlbi_aa64_rvae2_write(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae3_write(CPUARMState *env,
+      * flush-last-level-only.
+      */
+-    do_rvae_write(env, value, ARMMMUIdxBit_SE3,
+-                  tlb_force_broadcast(env));
++    do_rvae_write(env, value, ARMMMUIdxBit_E3, tlb_force_broadcast(env));
+ }
+ static void tlbi_aa64_rvae3is_write(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae3is_write(CPUARMState *env,
+      * flush-last-level-only or inner/outer specific flushes.
+      */
+-    do_rvae_write(env, value, ARMMMUIdxBit_SE3, true);
++    do_rvae_write(env, value, ARMMMUIdxBit_E3, true);
+ }
+ #endif
+@@ -XXX,XX +XXX,XX @@ uint64_t arm_sctlr(CPUARMState *env, int el)
+     /* Only EL0 needs to be adjusted for EL1&0 or EL2&0. */
+     if (el == 0) {
+         ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0);
+-        el = (mmu_idx == ARMMMUIdx_E20_0 || mmu_idx == ARMMMUIdx_SE20_0)
+-             ? 2 : 1;
++        el = mmu_idx == ARMMMUIdx_E20_0 ? 2 : 1;
+     }
+     return env->cp15.sctlr_el[el];
+ }
+@@ -XXX,XX +XXX,XX @@ int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx)
+     switch (mmu_idx) {
+     case ARMMMUIdx_E10_0:
+     case ARMMMUIdx_E20_0:
+-    case ARMMMUIdx_SE10_0:
+-    case ARMMMUIdx_SE20_0:
+         return 0;
+     case ARMMMUIdx_E10_1:
+     case ARMMMUIdx_E10_1_PAN:
+-    case ARMMMUIdx_SE10_1:
+-    case ARMMMUIdx_SE10_1_PAN:
+         return 1;
+     case ARMMMUIdx_E2:
+     case ARMMMUIdx_E20_2:
+     case ARMMMUIdx_E20_2_PAN:
+-    case ARMMMUIdx_SE2:
+-    case ARMMMUIdx_SE20_2:
+-    case ARMMMUIdx_SE20_2_PAN:
+         return 2;
+-    case ARMMMUIdx_SE3:
++    case ARMMMUIdx_E3:
+         return 3;
+     default:
+         g_assert_not_reached();
+@@ -XXX,XX +XXX,XX @@ ARMMMUIdx arm_mmu_idx_el(CPUARMState *env, int el)
+         }
+         break;
+     case 3:
+-        return ARMMMUIdx_SE3;
++        return ARMMMUIdx_E3;
+     default:
+         g_assert_not_reached();
+     }
+-    if (arm_is_secure_below_el3(env)) {
+-        idx &= ~ARM_MMU_IDX_A_NS;
+-    }
+-
+     return idx;
+ }
+@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
+         switch (mmu_idx) {
+         case ARMMMUIdx_E10_1:
+         case ARMMMUIdx_E10_1_PAN:
+-        case ARMMMUIdx_SE10_1:
+-        case ARMMMUIdx_SE10_1_PAN:
+             /* TODO: ARMv8.3-NV */
+             DP_TBFLAG_A64(flags, UNPRIV, 1);
+             break;
+         case ARMMMUIdx_E20_2:
+         case ARMMMUIdx_E20_2_PAN:
+-        case ARMMMUIdx_SE20_2:
+-        case ARMMMUIdx_SE20_2_PAN:
+             /*
+              * Note that EL20_2 is gated by HCR_EL2.E2H == 1, but EL20_0 is
+              * gated by HCR_EL2.<E2H,TGE> == '11', and so is LDTR.
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ unsigned int arm_pamax(ARMCPU *cpu)
+ ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
+ {
+     switch (mmu_idx) {
+-    case ARMMMUIdx_SE10_0:
+-        return ARMMMUIdx_Stage1_SE0;
+-    case ARMMMUIdx_SE10_1:
+-        return ARMMMUIdx_Stage1_SE1;
+-    case ARMMMUIdx_SE10_1_PAN:
+-        return ARMMMUIdx_Stage1_SE1_PAN;
+     case ARMMMUIdx_E10_0:
+         return ARMMMUIdx_Stage1_E0;
+     case ARMMMUIdx_E10_1:
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx)
+ static bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
+ {
+     switch (mmu_idx) {
+-    case ARMMMUIdx_SE10_0:
+     case ARMMMUIdx_E20_0:
+-    case ARMMMUIdx_SE20_0:
+     case ARMMMUIdx_Stage1_E0:
+-    case ARMMMUIdx_Stage1_SE0:
+     case ARMMMUIdx_MUser:
+     case ARMMMUIdx_MSUser:
+     case ARMMMUIdx_MUserNegPri:
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
+             s2_mmu_idx = (s2walk_secure
+                           ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2);
+-            is_el0 = mmu_idx == ARMMMUIdx_E10_0 || mmu_idx == ARMMMUIdx_SE10_0;
++            is_el0 = mmu_idx == ARMMMUIdx_E10_0;
+             /*
+              * S1 is done, now do S2 translation.
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
+     case ARMMMUIdx_Stage1_E1:
+     case ARMMMUIdx_Stage1_E1_PAN:
+     case ARMMMUIdx_E2:
++        is_secure = arm_is_secure_below_el3(env);
++        break;
+     case ARMMMUIdx_Stage2:
+     case ARMMMUIdx_MPrivNegPri:
+     case ARMMMUIdx_MUserNegPri:
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
+     case ARMMMUIdx_MUser:
+         is_secure = false;
+         break;
+-    case ARMMMUIdx_SE3:
+-    case ARMMMUIdx_SE10_0:
+-    case ARMMMUIdx_SE10_1:
+-    case ARMMMUIdx_SE10_1_PAN:
+-    case ARMMMUIdx_SE20_0:
+-    case ARMMMUIdx_SE20_2:
+-    case ARMMMUIdx_SE20_2_PAN:
+-    case ARMMMUIdx_Stage1_SE0:
+-    case ARMMMUIdx_Stage1_SE1:
+-    case ARMMMUIdx_Stage1_SE1_PAN:
+-    case ARMMMUIdx_SE2:
++    case ARMMMUIdx_E3:
+     case ARMMMUIdx_Stage2_S:
+     case ARMMMUIdx_MSPrivNegPri:
+     case ARMMMUIdx_MSUserNegPri:
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static int get_a64_user_mem_index(DisasContext *s)
-     return true;
+         case ARMMMUIdx_E20_2_PAN:
- }
+             useridx = ARMMMUIdx_E20_0;
+             break;
--/* Check that SVE access is enabled.  If it is, return true.
+-        case ARMMMUIdx_SE10_1:
-+/*
+-        case ARMMMUIdx_SE10_1_PAN:
-+ * Check that SVE access is enabled.  If it is, return true.
+-            useridx = ARMMMUIdx_SE10_0;
-  * If not, emit code to generate an appropriate exception and return false.
+-            break;
-+ * This function corresponds to CheckSVEEnabled().
+-        case ARMMMUIdx_SE20_2:
-  */
+-        case ARMMMUIdx_SE20_2_PAN:
- bool sve_access_check(DisasContext *s)
+-            useridx = ARMMMUIdx_SE20_0;
- {
+-            break;
--    if (s->sve_excp_el) {
+         default:
--        assert(!s->sve_access_checked);
+             g_assert_not_reached();
--        s->sve_access_checked = true;
+         }
--
+diff --git a/target/arm/translate.c b/target/arm/translate.c
-+    if (s->pstate_sm || !dc_isar_feature(aa64_sve, s)) {
+index XXXXXXX..XXXXXXX 100644
-+        assert(dc_isar_feature(aa64_sme, s));
+--- a/target/arm/translate.c
-+        if (!sme_sm_enabled_check(s)) {
++++ b/target/arm/translate.c
-+            goto fail_exit;
+@@ -XXX,XX +XXX,XX @@ static inline int get_a32_user_mem_index(DisasContext *s)
-+        }
+      *  otherwise, access as if at PL0.
-+    } else if (s->sve_excp_el) {
+      */
-         gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
+     switch (s->mmu_idx) {
-                               syn_sve_access_trap(), s->sve_excp_el);
++    case ARMMMUIdx_E3:
--        return false;
+     case ARMMMUIdx_E2:        /* this one is UNPREDICTABLE */
-+        goto fail_exit;
+     case ARMMMUIdx_E10_0:
-     }
+     case ARMMMUIdx_E10_1:
-     s->sve_access_checked = true;
+     case ARMMMUIdx_E10_1_PAN:
-     return fp_access_check(s);
+         return arm_to_core_mmu_idx(ARMMMUIdx_E10_0);
-+
+-    case ARMMMUIdx_SE3:
-+ fail_exit:
+-    case ARMMMUIdx_SE10_0:
-+    /* Assert that we only raise one exception per instruction. */
+-    case ARMMMUIdx_SE10_1:
-+    assert(!s->sve_access_checked);
+-    case ARMMMUIdx_SE10_1_PAN:
-+    s->sve_access_checked = true;
+-        return arm_to_core_mmu_idx(ARMMMUIdx_SE10_0);
-+    return false;
+     case ARMMMUIdx_MUser:
- }
+     case ARMMMUIdx_MPriv:
+         return arm_to_core_mmu_idx(ARMMMUIdx_MUser);
  /*
 --
 .25.1

-[PULL 37/45] linux-user/aarch64: Do not allow duplicate or short sve records
+[PULL 15/28] target/arm: Reorg regime_translation_disabled
 From: Richard Henderson <richard.henderson@linaro.org>
-In parse_user_sigframe, the kernel rejects duplicate sve records,
+Use a switch on mmu_idx for the a-profile indexes, instead of
-or records that are smaller than the header.  We were silently
+three different if's vs regime_el and arm_mmu_idx_is_stage1_of_2.
 allowing these cases to pass, dropping the record.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-38-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-12-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/signal.c | 5 ++++-
+ target/arm/ptw.c | 32 +++++++++++++++++++++++++-------
-file changed, 4 insertions(+), 1 deletion(-)
+file changed, 25 insertions(+), 7 deletions(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/arm/ptw.c
-+++ b/linux-user/aarch64/signal.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
-             break;
+     hcr_el2 = arm_hcr_el2_eff(env);
-         case TARGET_SVE_MAGIC:
-+            if (sve || size < sizeof(struct target_sve_context)) {
+-    if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
-+                goto err;
++    switch (mmu_idx) {
-+            }
++    case ARMMMUIdx_Stage2:
-             if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
++    case ARMMMUIdx_Stage2_S:
-                 vq = sve_vq(env);
+         /* HCR.DC means HCR.VM behaves as 1 */
-                 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
+         return (hcr_el2 & (HCR_DC | HCR_VM)) == 0;
--                if (!sve && size == sve_size) {
+-    }
-+                if (size == sve_size) {
-                     sve = (struct target_sve_context *)ctx;
+-    if (hcr_el2 & HCR_TGE) {
-                     break;
++    case ARMMMUIdx_E10_0:
-                 }
++    case ARMMMUIdx_E10_1:
 +    case ARMMMUIdx_E10_1_PAN:
          /* TGE means that NS EL0/1 act as if SCTLR_EL1.M is zero */
 -        if (!is_secure && regime_el(env, mmu_idx) == 1) {
 +        if (!is_secure && (hcr_el2 & HCR_TGE)) {
              return true;
          }
 -    }
 +        break;
 -    if ((hcr_el2 & HCR_DC) && arm_mmu_idx_is_stage1_of_2(mmu_idx)) {
 +    case ARMMMUIdx_Stage1_E0:
 +    case ARMMMUIdx_Stage1_E1:
 +    case ARMMMUIdx_Stage1_E1_PAN:
          /* HCR.DC means SCTLR_EL1.M behaves as 0 */
 -        return true;
 +        if (hcr_el2 & HCR_DC) {
 +            return true;
 +        }
 +        break;
 +
 +    case ARMMMUIdx_E20_0:
 +    case ARMMMUIdx_E20_2:
 +    case ARMMMUIdx_E20_2_PAN:
 +    case ARMMMUIdx_E2:
 +    case ARMMMUIdx_E3:
 +        break;
 +
 +    default:
 +        g_assert_not_reached();
      }
      return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
 --
 .25.1

-[PULL 36/45] linux-user/aarch64: Tidy target_restore_sigframe error return
+[PULL 16/28] target/arm: Drop secure check for HCR.TGE vs SCTLR_EL1.M
 From: Richard Henderson <richard.henderson@linaro.org>
-Fold the return value setting into the goto, so each
+The effect of TGE does not only apply to non-secure state,
-point of failure need not do both.
+now that Secure EL2 exists.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-37-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-13-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/signal.c | 26 +++++++++++---------------
+ target/arm/ptw.c | 4 ++--
-file changed, 11 insertions(+), 15 deletions(-)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/arm/ptw.c
-+++ b/linux-user/aarch64/signal.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
-     struct target_sve_context *sve = NULL;
+     case ARMMMUIdx_E10_0:
-     uint64_t extra_datap = 0;
+     case ARMMMUIdx_E10_1:
-     bool used_extra = false;
+     case ARMMMUIdx_E10_1_PAN:
--    bool err = false;
+-        /* TGE means that NS EL0/1 act as if SCTLR_EL1.M is zero */
-     int vq = 0, sve_size = 0;
+-        if (!is_secure && (hcr_el2 & HCR_TGE)) {
++        /* TGE means that EL0/1 act as if SCTLR_EL1.M is zero */
-     target_restore_general_frame(env, sf);
++        if (hcr_el2 & HCR_TGE) {
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+             return true;
          switch (magic) {
          case 0:
              if (size != 0) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              if (used_extra) {
                  ctx = NULL;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
          case TARGET_FPSIMD_MAGIC:
              if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              fpsimd = (struct target_fpsimd_context *)ctx;
              break;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
                      break;
                  }
              }
 -            err = true;
 -            goto exit;
 +            goto err;
          case TARGET_EXTRA_MAGIC:
              if (extra || size != sizeof(struct target_extra_context)) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              __get_user(extra_datap,
                         &((struct target_extra_context *)ctx)->datap);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
              /* Unknown record -- we certainly didn't generate it.
               * Did we in fact get out of sync?
               */
 -            err = true;
 -            goto exit;
 +            goto err;
          }
-         ctx = (void *)ctx + size;
+         break;
      }
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      if (fpsimd) {
          target_restore_fpsimd_record(env, fpsimd);
      } else {
 -        err = true;
 +        goto err;
      }
      /* SVE data, if present, overwrites FPSIMD data.  */
      if (sve) {
          target_restore_sve_record(env, sve, vq);
      }
 -
 - exit:
      unlock_user(extra, extra_datap, 0);
 -    return err;
 +    return 0;
 +
 + err:
 +    unlock_user(extra, extra_datap, 0);
 +    return 1;
  }
  static abi_ulong get_sigframe(struct target_sigaction *ka,
 --
 .25.1

-[PULL 15/45] target/arm: Add SME enablement checks
+[PULL 17/28] target/arm: Introduce arm_hcr_el2_eff_secstate
 From: Richard Henderson <richard.henderson@linaro.org>
-These functions will be used to verify that the cpu
+For page walking, we may require HCR for a security state
-is in the correct state for a given instruction.
+that is not "current".
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-16-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-14-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.h | 21 +++++++++++++++++++++
+ target/arm/cpu.h    | 20 +++++++++++++-------
- target/arm/translate-a64.c | 34 ++++++++++++++++++++++++++++++++++
+ target/arm/helper.c | 11 ++++++++---
-files changed, 55 insertions(+)
+files changed, 21 insertions(+), 10 deletions(-)
-diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
+--- a/target/arm/cpu.h
-+++ b/target/arm/translate-a64.h
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ void write_fp_dreg(DisasContext *s, int reg, TCGv_i64 v);
+@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env)
- bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
+  * Return true if the current security state has AArch64 EL2 or AArch32 Hyp.
-                             unsigned int imms, unsigned int immr);
+  * This corresponds to the pseudocode EL2Enabled()
- bool sve_access_check(DisasContext *s);
+  */
-+bool sme_enabled_check(DisasContext *s);
++static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, bool secure)
 +bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);
 +
 +/* This function corresponds to CheckStreamingSVEEnabled. */
 +static inline bool sme_sm_enabled_check(DisasContext *s)
 +{
-+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK);
++    return arm_feature(env, ARM_FEATURE_EL2)
 +           && (!secure || (env->cp15.scr_el3 & SCR_EEL2));
 +}
 +
-+/* This function corresponds to CheckSMEAndZAEnabled. */
+ static inline bool arm_is_el2_enabled(CPUARMState *env)
-+static inline bool sme_za_enabled_check(DisasContext *s)
+ {
 -    if (arm_feature(env, ARM_FEATURE_EL2)) {
 -        if (arm_is_secure_below_el3(env)) {
 -            return (env->cp15.scr_el3 & SCR_EEL2) != 0;
 -        }
 -        return true;
 -    }
 -    return false;
 +    return arm_is_el2_enabled_secstate(env, arm_is_secure_below_el3(env));
  }
  #else
@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env)
      return false;
  }
 +static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, bool secure)
 +{
-+    return sme_enabled_check_with_svcr(s, R_SVCR_ZA_MASK);
++    return false;
 +}
 +
-+/* Note that this function corresponds to CheckStreamingSVEAndZAEnabled. */
+ static inline bool arm_is_el2_enabled(CPUARMState *env)
-+static inline bool sme_smza_enabled_check(DisasContext *s)
+ {
      return false;
@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_el2_enabled(CPUARMState *env)
   * "for all purposes other than a direct read or write access of HCR_EL2."
   * Not included here is HCR_RW.
   */
 +uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, bool secure);
  uint64_t arm_hcr_el2_eff(CPUARMState *env);
  uint64_t arm_hcrx_el2_eff(CPUARMState *env);
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri,
  }
  /*
 - * Return the effective value of HCR_EL2.
 + * Return the effective value of HCR_EL2, at the given security state.
   * Bits that are not included here:
   * RW       (read from SCR_EL3.RW as needed)
   */
 -uint64_t arm_hcr_el2_eff(CPUARMState *env)
 +uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, bool secure)
  {
      uint64_t ret = env->cp15.hcr_el2;
 -    if (!arm_is_el2_enabled(env)) {
 +    if (!arm_is_el2_enabled_secstate(env, secure)) {
          /*
           * "This register has no effect if EL2 is not enabled in the
           * current Security state".  This is ARMv8.4-SecEL2 speak for
@@ -XXX,XX +XXX,XX @@ uint64_t arm_hcr_el2_eff(CPUARMState *env)
      return ret;
  }
 +uint64_t arm_hcr_el2_eff(CPUARMState *env)
 +{
-+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK | R_SVCR_ZA_MASK);
++    return arm_hcr_el2_eff_secstate(env, arm_is_secure_below_el3(env));
 +}
 +
  TCGv_i64 clean_data_tbi(DisasContext *s, TCGv_i64 addr);
  TCGv_i64 gen_mte_check1(DisasContext *s, TCGv_i64 addr, bool is_write,
                          bool tag_checked, int log2_size);
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool sme_access_check(DisasContext *s)
      return true;
  }
 +/* This function corresponds to CheckSMEEnabled. */
 +bool sme_enabled_check(DisasContext *s)
 +{
 +    /*
 +     * Note that unlike sve_excp_el, we have not constrained sme_excp_el
 +     * to be zero when fp_excp_el has priority.  This is because we need
 +     * sme_excp_el by itself for cpregs access checks.
 +     */
 +    if (!s->fp_excp_el || s->sme_excp_el < s->fp_excp_el) {
 +        s->fp_access_checked = true;
 +        return sme_access_check(s);
 +    }
 +    return fp_access_check_only(s);
 +}
 +
 +/* Common subroutine for CheckSMEAnd*Enabled. */
 +bool sme_enabled_check_with_svcr(DisasContext *s, unsigned req)
 +{
 +    if (!sme_enabled_check(s)) {
 +        return false;
 +    }
 +    if (FIELD_EX64(req, SVCR, SM) && !s->pstate_sm) {
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                           syn_smetrap(SME_ET_NotStreaming, false));
 +        return false;
 +    }
 +    if (FIELD_EX64(req, SVCR, ZA) && !s->pstate_za) {
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                           syn_smetrap(SME_ET_InactiveZA, false));
 +        return false;
 +    }
 +    return true;
 +}
 +
  /*
-  * This utility function is for doing register extension with an
+  * Corresponds to ARM pseudocode function ELIsInHost().
-  * optional shift. You will likely want to pass a temporary for the
+  */
 --
 .25.1

-[PULL 35/45] linux-user/aarch64: Add SM bit to SVE signal context
+[PULL 18/28] target/arm: Hoist read of *is_secure in S1_ptw_translate
 From: Richard Henderson <richard.henderson@linaro.org>
-Make sure to zero the currently reserved fields.
+Rename the argument to is_secure_ptr, and introduce a
 local variable is_secure with the value.  We only write
 back to the pointer toward the end of the function.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-36-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-15-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/signal.c | 9 ++++++++-
+ target/arm/ptw.c | 22 ++++++++++++----------
-file changed, 8 insertions(+), 1 deletion(-)
+file changed, 12 insertions(+), 10 deletions(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/arm/ptw.c
-+++ b/linux-user/aarch64/signal.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ struct target_extra_context {
+@@ -XXX,XX +XXX,XX @@ static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
- struct target_sve_context {
-     struct target_aarch64_ctx head;
+ /* Translate a S1 pagetable walk through S2 if needed.  */
-     uint16_t vl;
+ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
--    uint16_t reserved[3];
+-                               hwaddr addr, bool *is_secure,
-+    uint16_t flags;
++                               hwaddr addr, bool *is_secure_ptr,
-+    uint16_t reserved[2];
+                                ARMMMUFaultInfo *fi)
      /* The actual SVE data immediately follows.  It is laid out
       * according to TARGET_SVE_SIG_{Z,P}REG_OFFSET, based off of
       * the original struct pointer.
@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
  #define TARGET_SVE_SIG_CONTEXT_SIZE(VQ) \
      (TARGET_SVE_SIG_PREG_OFFSET(VQ, 17))
 +#define TARGET_SVE_SIG_FLAG_SM  1
 +
  struct target_rt_sigframe {
      struct target_siginfo info;
      struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
  {
-     int i, j;
+-    ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
++    bool is_secure = *is_secure_ptr;
-+    memset(sve, 0, sizeof(*sve));
++    ARMMMUIdx s2_mmu_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
-     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
-     __put_user(size, &sve->head.size);
+     if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
-     __put_user(vq * TARGET_SVE_VQ_BYTES, &sve->vl);
+-        !regime_translation_disabled(env, s2_mmu_idx, *is_secure)) {
-+    if (FIELD_EX64(env->svcr, SVCR, SM)) {
++        !regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
-+        __put_user(TARGET_SVE_SIG_FLAG_SM, &sve->flags);
+         GetPhysAddrResult s2 = {};
-+    }
+         int ret;
-     /* Note that SVE regs are stored as a byte stream, with each byte element
+         ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx,
-      * at a subsequent address.  This corresponds to a little-endian store
+-                                 *is_secure, false, &s2, fi);
 +                                 is_secure, false, &s2, fi);
          if (ret) {
              assert(fi->type != ARMFault_None);
              fi->s2addr = addr;
              fi->stage2 = true;
              fi->s1ptw = true;
 -            fi->s1ns = !*is_secure;
 +            fi->s1ns = !is_secure;
              return ~0;
          }
          if ((arm_hcr_el2_eff(env) & HCR_PTW) &&
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
              fi->s2addr = addr;
              fi->stage2 = true;
              fi->s1ptw = true;
 -            fi->s1ns = !*is_secure;
 +            fi->s1ns = !is_secure;
              return ~0;
          }
          if (arm_is_secure_below_el3(env)) {
              /* Check if page table walk is to secure or non-secure PA space. */
 -            if (*is_secure) {
 -                *is_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
 +            if (is_secure) {
 +                is_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
              } else {
 -                *is_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
 +                is_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
              }
 +            *is_secure_ptr = is_secure;
          } else {
 -            assert(!*is_secure);
 +            assert(!is_secure);
          }
          addr = s2.phys;
 --
 .25.1

-[PULL 11/45] target/arm: Mark gather/scatter load/store as non-streaming
+[PULL 19/28] target/arm: Remove env argument from combined_attrs_fwb
 From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
+This value is unused.
 if full a64 support is not enabled in streaming mode.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221001162318.153420-16-richard.henderson@linaro.org
 Message-id: 20220708151540.18136-12-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sme-fa64.decode | 9 ---------
+ target/arm/ptw.c | 5 ++---
- target/arm/translate-sve.c | 6 ++++++
+file changed, 2 insertions(+), 3 deletions(-)
 files changed, 6 insertions(+), 9 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
+--- a/target/arm/ptw.c
-+++ b/target/arm/sme-fa64.decode
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+@@ -XXX,XX +XXX,XX @@ static uint8_t force_cacheattr_nibble_wb(uint8_t attr)
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+  * s1 and s2 for the HCR_EL2.FWB == 1 case, returning the
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+  * combined attributes in MAIR_EL1 format.
+  */
--FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+-static uint8_t combined_attrs_fwb(CPUARMState *env,
- FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+-                                  ARMCacheAttrs s1, ARMCacheAttrs s2)
- FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
++static uint8_t combined_attrs_fwb(ARMCacheAttrs s1, ARMCacheAttrs s2)
--FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
+ {
--FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
+     switch (s2.attrs) {
--FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
+     case 7:
--FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
+@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
- FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
- FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
+     /* Combine memory type and cacheability attributes */
- FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+     if (arm_hcr_el2_eff(env) & HCR_FWB) {
- FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+-        ret.attrs = combined_attrs_fwb(env, s1, s2);
- FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
++        ret.attrs = combined_attrs_fwb(s1, s2);
--FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
+     } else {
--FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
+         ret.attrs = combined_attrs_nofwb(env, s1, s2);
 -FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
 -FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zprz(DisasContext *s, arg_LD1_zprz *a)
      if (!dc_isar_feature(aa64_sve, s)) {
          return false;
      }
 +    s->is_nonstreaming = true;
      if (!sve_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zpiz(DisasContext *s, arg_LD1_zpiz *a)
      if (!dc_isar_feature(aa64_sve, s)) {
          return false;
      }
 +    s->is_nonstreaming = true;
      if (!sve_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDNT1_zprz(DisasContext *s, arg_LD1_zprz *a)
      if (!dc_isar_feature(aa64_sve2, s)) {
          return false;
      }
 +    s->is_nonstreaming = true;
      if (!sve_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zprz(DisasContext *s, arg_ST1_zprz *a)
      if (!dc_isar_feature(aa64_sve, s)) {
          return false;
      }
 +    s->is_nonstreaming = true;
      if (!sve_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zpiz(DisasContext *s, arg_ST1_zpiz *a)
      if (!dc_isar_feature(aa64_sve, s)) {
          return false;
      }
 +    s->is_nonstreaming = true;
      if (!sve_access_check(s)) {
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_STNT1_zprz(DisasContext *s, arg_ST1_zprz *a)
      if (!dc_isar_feature(aa64_sve2, s)) {
          return false;
      }
 +    s->is_nonstreaming = true;
      if (!sve_access_check(s)) {
          return true;
      }
 --
 .25.1

-[PULL 02/45] target/arm: Add infrastructure for disas_sme
+[PULL 20/28] target/arm: Pass HCR to attribute subroutines.
 From: Richard Henderson <richard.henderson@linaro.org>
-This includes the build rules for the decoder, and the
+These subroutines did not need ENV for anything except
-new file for translation, but excludes any instructions.
+retrieving the effective value of HCR anyway.
 We have computed the effective value of HCR in the callers,
 and this will be especially important for interpreting HCR
 in a non-current security state.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-3-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-17-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.h |  1 +
+ target/arm/ptw.c | 30 +++++++++++++++++-------------
- target/arm/sme.decode      | 20 ++++++++++++++++++++
+file changed, 17 insertions(+), 13 deletions(-)
  target/arm/translate-a64.c |  7 ++++++-
  target/arm/translate-sme.c | 35 +++++++++++++++++++++++++++++++++++
  target/arm/meson.build     |  2 ++
 files changed, 64 insertions(+), 1 deletion(-)
  create mode 100644 target/arm/sme.decode
  create mode 100644 target/arm/translate-sme.c
-diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-a64.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
      return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
  }
- bool disas_sve(DisasContext *, uint32_t);
+-static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
-+bool disas_sme(DisasContext *, uint32_t);
++static bool ptw_attrs_are_device(uint64_t hcr, ARMCacheAttrs cacheattrs)
+ {
- void gen_gvec_rax1(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
+     /*
-                    uint32_t rm_ofs, uint32_t opr_sz, uint32_t max_sz);
+      * For an S1 page table walk, the stage 1 attributes are always
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
+@@ -XXX,XX +XXX,XX @@ static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
-new file mode 100644
+      * when cacheattrs.attrs bit [2] is 0.
-index XXXXXXX..XXXXXXX
+      */
---- /dev/null
+     assert(cacheattrs.is_s2_format);
-+++ b/target/arm/sme.decode
+-    if (arm_hcr_el2_eff(env) & HCR_FWB) {
-@@ -XXX,XX +XXX,XX @@
++    if (hcr & HCR_FWB) {
-+# AArch64 SME instruction descriptions
+         return (cacheattrs.attrs & 0x4) == 0;
-+#
+     } else {
-+#  Copyright (c) 2022 Linaro, Ltd
+         return (cacheattrs.attrs & 0xc) == 0;
-+#
+@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-+# This library is free software; you can redistribute it and/or
+     if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
-+# modify it under the terms of the GNU Lesser General Public
+         !regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
-+# License as published by the Free Software Foundation; either
+         GetPhysAddrResult s2 = {};
-+# version 2.1 of the License, or (at your option) any later version.
++        uint64_t hcr;
-+#
+         int ret;
-+# This library is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+         ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx,
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-+# Lesser General Public License for more details.
+             fi->s1ns = !is_secure;
-+#
+             return ~0;
-+# You should have received a copy of the GNU Lesser General Public
+         }
-+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+-        if ((arm_hcr_el2_eff(env) & HCR_PTW) &&
 -            ptw_attrs_are_device(env, s2.cacheattrs)) {
 +
-+#
++        hcr = arm_hcr_el2_eff(env);
-+# This file is processed by scripts/decodetree.py
++        if ((hcr & HCR_PTW) && ptw_attrs_are_device(hcr, s2.cacheattrs)) {
-+#
+             /*
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+              * PTW set and S1 walk touched S2 Device memory:
-index XXXXXXX..XXXXXXX 100644
+              * generate Permission fault.
---- a/target/arm/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
-+++ b/target/arm/translate-a64.c
+  * ref: shared/translation/attrs/S2AttrDecode()
-@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+  *      .../S2ConvertAttrsHints()
   */
 -static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
 +static uint8_t convert_stage2_attrs(uint64_t hcr, uint8_t s2attrs)
  {
      uint8_t hiattr = extract32(s2attrs, 2, 2);
      uint8_t loattr = extract32(s2attrs, 0, 2);
      uint8_t hihint = 0, lohint = 0;
      if (hiattr != 0) { /* normal memory */
 -        if (arm_hcr_el2_eff(env) & HCR_CD) { /* cache disabled */
 +        if (hcr & HCR_CD) { /* cache disabled */
              hiattr = loattr = 1; /* non-cacheable */
          } else {
              if (hiattr != 1) { /* Write-through or write-back */
@@ -XXX,XX +XXX,XX @@ static uint8_t combine_cacheattr_nibble(uint8_t s1, uint8_t s2)
   * s1 and s2 for the HCR_EL2.FWB == 0 case, returning the
   * combined attributes in MAIR_EL1 format.
   */
 -static uint8_t combined_attrs_nofwb(CPUARMState *env,
 +static uint8_t combined_attrs_nofwb(uint64_t hcr,
                                      ARMCacheAttrs s1, ARMCacheAttrs s2)
  {
      uint8_t s1lo, s2lo, s1hi, s2hi, s2_mair_attrs, ret_attrs;
 -    s2_mair_attrs = convert_stage2_attrs(env, s2.attrs);
 +    s2_mair_attrs = convert_stage2_attrs(hcr, s2.attrs);
      s1lo = extract32(s1.attrs, 0, 4);
      s2lo = extract32(s2_mair_attrs, 0, 4);
@@ -XXX,XX +XXX,XX @@ static uint8_t combined_attrs_fwb(ARMCacheAttrs s1, ARMCacheAttrs s2)
   * @s1:      Attributes from stage 1 walk
   * @s2:      Attributes from stage 2 walk
   */
 -static ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
 +static ARMCacheAttrs combine_cacheattrs(uint64_t hcr,
                                          ARMCacheAttrs s1, ARMCacheAttrs s2)
  {
      ARMCacheAttrs ret;
@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
      }
-     switch (extract32(insn, 25, 4)) {
+     /* Combine memory type and cacheability attributes */
--    case 0x0: case 0x1: case 0x3: /* UNALLOCATED */
+-    if (arm_hcr_el2_eff(env) & HCR_FWB) {
-+    case 0x0:
++    if (hcr & HCR_FWB) {
-+        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+         ret.attrs = combined_attrs_fwb(s1, s2);
-+            unallocated_encoding(s);
+     } else {
-+        }
+-        ret.attrs = combined_attrs_nofwb(env, s1, s2);
-+        break;
++        ret.attrs = combined_attrs_nofwb(hcr, s1, s2);
-+    case 0x1: case 0x3: /* UNALLOCATED */
+     }
-         unallocated_encoding(s);
-         break;
+     /*
-     case 0x2:
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
+             ARMCacheAttrs cacheattrs1;
-new file mode 100644
+             ARMMMUIdx s2_mmu_idx;
-index XXXXXXX..XXXXXXX
+             bool is_el0;
---- /dev/null
++            uint64_t hcr;
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@
+             ret = get_phys_addr_with_secure(env, address, access_type,
-+/*
+                                             s1_mmu_idx, is_secure, result, fi);
-+ * AArch64 SME translation
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
-+ *
+             }
-+ * Copyright (c) 2022 Linaro, Ltd
-+ *
+             /* Combine the S1 and S2 cache attributes. */
-+ * This library is free software; you can redistribute it and/or
+-            if (arm_hcr_el2_eff(env) & HCR_DC) {
-+ * modify it under the terms of the GNU Lesser General Public
++            hcr = arm_hcr_el2_eff(env);
-+ * License as published by the Free Software Foundation; either
++            if (hcr & HCR_DC) {
-+ * version 2.1 of the License, or (at your option) any later version.
+                 /*
-+ *
+                  * HCR.DC forces the first stage attributes to
-+ * This library is distributed in the hope that it will be useful,
+                  *  Normal Non-Shareable,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+                 }
-+ * Lesser General Public License for more details.
+                 cacheattrs1.shareability = 0;
-+ *
+             }
-+ * You should have received a copy of the GNU Lesser General Public
+-            result->cacheattrs = combine_cacheattrs(env, cacheattrs1,
-+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
++            result->cacheattrs = combine_cacheattrs(hcr, cacheattrs1,
-+ */
+                                                     result->cacheattrs);
-+
-+#include "qemu/osdep.h"
+             /*
 +#include "cpu.h"
 +#include "tcg/tcg-op.h"
 +#include "tcg/tcg-op-gvec.h"
 +#include "tcg/tcg-gvec-desc.h"
 +#include "translate.h"
 +#include "exec/helper-gen.h"
 +#include "translate-a64.h"
 +#include "fpu/softfloat.h"
 +
 +
 +/*
 + * Include the generated decoder.
 + */
 +
 +#include "decode-sme.c.inc"
 diff --git a/target/arm/meson.build b/target/arm/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/meson.build
 +++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@
  gen = [
    decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
 +  decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
    decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
    decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
    decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
    'sme_helper.c',
    'translate-a64.c',
    'translate-sve.c',
 +  'translate-sme.c',
  ))
  arm_softmmu_ss = ss.source_set()
 --
 .25.1

-[PULL 04/45] target/arm: Mark ADR as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark ADR as a non-streaming instruction, which should trap
-if full a64 support is not enabled in streaming mode.
-Removing entries from sme-fa64.decode is an easy way to see
-what remains to be done.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-5-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate.h     | 7 +++++++
- target/arm/sme-fa64.decode | 1 -
- target/arm/translate-sve.c | 8 ++++----
-files changed, 11 insertions(+), 5 deletions(-)
-diff --git a/target/arm/translate.h b/target/arm/translate.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.h
-+++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op);
-     static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \
-     { return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__); }
-+#define TRANS_FEAT_NONSTREAMING(NAME, FEAT, FUNC, ...)            \
-+    static bool trans_##NAME(DisasContext *s, arg_##NAME *a)      \
-+    {                                                             \
-+        s->is_nonstreaming = true;                                \
-+        return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__);  \
-+    }
-+
- #endif /* TARGET_ARM_TRANSLATE_H */
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
- FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
- FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
- FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool do_adr(DisasContext *s, arg_rrri *a, gen_helper_gvec_3 *fn)
-     return gen_gvec_ool_zzz(s, fn, a->rd, a->rn, a->rm, a->imm);
- }
--TRANS_FEAT(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
--TRANS_FEAT(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
--TRANS_FEAT(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
--TRANS_FEAT(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
-+TRANS_FEAT_NONSTREAMING(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
-+TRANS_FEAT_NONSTREAMING(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
-+TRANS_FEAT_NONSTREAMING(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
-+TRANS_FEAT_NONSTREAMING(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
- /*
-  *** SVE Integer Misc - Unpredicated Group
---
-.25.1

-[PULL 05/45] target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-6-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode | 2 --
- target/arm/translate-sve.c | 9 ++++++---
-files changed, 6 insertions(+), 5 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
- FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
--FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
--FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
- FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
- FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
- FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool do_predset(DisasContext *s, int esz, int rd, int pat, bool setflag)
- TRANS_FEAT(PTRUE, aa64_sve, do_predset, a->esz, a->rd, a->pat, a->s)
- /* Note pat == 31 is #all, to set all elements.  */
--TRANS_FEAT(SETFFR, aa64_sve, do_predset, 0, FFR_PRED_NUM, 31, false)
-+TRANS_FEAT_NONSTREAMING(SETFFR, aa64_sve,
-+                        do_predset, 0, FFR_PRED_NUM, 31, false)
- /* Note pat == 32 is #unimp, to set no elements.  */
- TRANS_FEAT(PFALSE, aa64_sve, do_predset, 0, a->rd, 32, false)
-@@ -XXX,XX +XXX,XX @@ static bool trans_RDFFR_p(DisasContext *s, arg_RDFFR_p *a)
-         .rd = a->rd, .pg = a->pg, .s = a->s,
-         .rn = FFR_PRED_NUM, .rm = FFR_PRED_NUM,
-     };
-+
-+    s->is_nonstreaming = true;
-     return trans_AND_pppp(s, &alt_a);
- }
--TRANS_FEAT(RDFFR, aa64_sve, do_mov_p, a->rd, FFR_PRED_NUM)
--TRANS_FEAT(WRFFR, aa64_sve, do_mov_p, FFR_PRED_NUM, a->rn)
-+TRANS_FEAT_NONSTREAMING(RDFFR, aa64_sve, do_mov_p, a->rd, FFR_PRED_NUM)
-+TRANS_FEAT_NONSTREAMING(WRFFR, aa64_sve, do_mov_p, FFR_PRED_NUM, a->rn)
- static bool do_pfirst_pnext(DisasContext *s, arg_rr_esz *a,
-                             void (*gen_fn)(TCGv_i32, TCGv_ptr,
---
-.25.1

-[PULL 06/45] target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-7-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  3 ---
- target/arm/translate-sve.c | 22 ++++++++++++----------
-files changed, 12 insertions(+), 13 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
--FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
--FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
- FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
- FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
- FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_2 * const fexpa_fns[4] = {
-     NULL,                   gen_helper_sve_fexpa_h,
-     gen_helper_sve_fexpa_s, gen_helper_sve_fexpa_d,
- };
--TRANS_FEAT(FEXPA, aa64_sve, gen_gvec_ool_zz,
--           fexpa_fns[a->esz], a->rd, a->rn, 0)
-+TRANS_FEAT_NONSTREAMING(FEXPA, aa64_sve, gen_gvec_ool_zz,
-+                        fexpa_fns[a->esz], a->rd, a->rn, 0)
- static gen_helper_gvec_3 * const ftssel_fns[4] = {
-     NULL,                    gen_helper_sve_ftssel_h,
-     gen_helper_sve_ftssel_s, gen_helper_sve_ftssel_d,
- };
--TRANS_FEAT(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz, ftssel_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz,
-+                        ftssel_fns[a->esz], a, 0)
- /*
-  *** SVE Predicate Logical Operations Group
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(TRN2_q, aa64_sve_f64mm, gen_gvec_ool_arg_zzz,
- static gen_helper_gvec_3 * const compact_fns[4] = {
-     NULL, NULL, gen_helper_sve_compact_s, gen_helper_sve_compact_d
- };
--TRANS_FEAT(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz, compact_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz,
-+                        compact_fns[a->esz], a, 0)
- /* Call the helper that computes the ARM LastActiveElement pseudocode
-  * function, scaled by the element size.  This includes the not found
-@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3 * const bext_fns[4] = {
-     gen_helper_sve2_bext_b, gen_helper_sve2_bext_h,
-     gen_helper_sve2_bext_s, gen_helper_sve2_bext_d,
- };
--TRANS_FEAT(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
--           bext_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-+                        bext_fns[a->esz], a, 0)
- static gen_helper_gvec_3 * const bdep_fns[4] = {
-     gen_helper_sve2_bdep_b, gen_helper_sve2_bdep_h,
-     gen_helper_sve2_bdep_s, gen_helper_sve2_bdep_d,
- };
--TRANS_FEAT(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
--           bdep_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-+                        bdep_fns[a->esz], a, 0)
- static gen_helper_gvec_3 * const bgrp_fns[4] = {
-     gen_helper_sve2_bgrp_b, gen_helper_sve2_bgrp_h,
-     gen_helper_sve2_bgrp_s, gen_helper_sve2_bgrp_d,
- };
--TRANS_FEAT(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
--           bgrp_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-+                        bgrp_fns[a->esz], a, 0)
- static gen_helper_gvec_3 * const cadd_fns[4] = {
-     gen_helper_sve2_cadd_b, gen_helper_sve2_cadd_h,
---
-.25.1

-[PULL 07/45] target/arm: Mark PMULL, FMMLA as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-8-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  2 --
- target/arm/translate-sve.c | 24 +++++++++++++++---------
-files changed, 15 insertions(+), 11 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
--FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
- FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
- FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
- FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool do_trans_pmull(DisasContext *s, arg_rrr_esz *a, bool sel)
-         gen_helper_gvec_pmull_q, gen_helper_sve2_pmull_h,
-         NULL,                    gen_helper_sve2_pmull_d,
-     };
--    if (a->esz == 0
--        ? !dc_isar_feature(aa64_sve2_pmull128, s)
--        : !dc_isar_feature(aa64_sve, s)) {
-+
-+    if (a->esz == 0) {
-+        if (!dc_isar_feature(aa64_sve2_pmull128, s)) {
-+            return false;
-+        }
-+        s->is_nonstreaming = true;
-+    } else if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-     return gen_gvec_ool_arg_zzz(s, fns[a->esz], a, sel);
-@@ -XXX,XX +XXX,XX @@ DO_ZPZZ_FP(FMINP, aa64_sve2, sve2_fminp_zpzz)
-  * SVE Integer Multiply-Add (unpredicated)
-  */
--TRANS_FEAT(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_s,
--           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
--TRANS_FEAT(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_d,
--           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
-+TRANS_FEAT_NONSTREAMING(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz,
-+                        gen_helper_fmmla_s, a->rd, a->rn, a->rm, a->ra,
-+                        0, FPST_FPCR)
-+TRANS_FEAT_NONSTREAMING(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz,
-+                        gen_helper_fmmla_d, a->rd, a->rn, a->rm, a->ra,
-+                        0, FPST_FPCR)
- static gen_helper_gvec_4 * const sqdmlal_zzzw_fns[] = {
-     NULL,                           gen_helper_sve2_sqdmlal_zzzw_h,
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
- TRANS_FEAT(BFDOT_zzxz, aa64_sve_bf16, gen_gvec_ool_arg_zzxz,
-            gen_helper_gvec_bfdot_idx, a)
--TRANS_FEAT(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
--           gen_helper_gvec_bfmmla, a, 0)
-+TRANS_FEAT_NONSTREAMING(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
-+                        gen_helper_gvec_bfmmla, a, 0)
- static bool do_BFMLAL_zzzw(DisasContext *s, arg_rrrr_esz *a, bool sel)
- {
---
-.25.1

-[PULL 21/45] target/arm: Export unpredicated ld/st from translate-sve.c
+[PULL 21/28] target/arm: Fix ATS12NSO* from S PL1
 From: Richard Henderson <richard.henderson@linaro.org>
-Add a TCGv_ptr base argument, which will be cpu_env for SVE.
+Use arm_hcr_el2_eff_secstate instead of arm_hcr_el2_eff, so
-We will reuse this for SME save and restore array insns.
+that we use is_secure instead of the current security state.
 These AT* operations have been broken since arm_hcr_el2_eff
 gained a check for "el2 enabled" for Secure EL2.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-22-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-18-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.h |  3 +++
+ target/arm/ptw.c | 8 ++++----
- target/arm/translate-sve.c | 48 ++++++++++++++++++++++++++++----------
+file changed, 4 insertions(+), 4 deletions(-)
 files changed, 39 insertions(+), 12 deletions(-)
-diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-a64.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ void gen_gvec_xar(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
                    uint32_t rm_ofs, int64_t shift,
                    uint32_t opr_sz, uint32_t max_sz);
 +void gen_sve_ldr(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
 +void gen_sve_str(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
 +
  #endif /* TARGET_ARM_TRANSLATE_A64_H */
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(UCVTF_dd, aa64_sve, gen_gvec_fpst_arg_zpz,
   * The load should begin at the address Rn + IMM.
   */
 -static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 +void gen_sve_ldr(DisasContext *s, TCGv_ptr base, int vofs,
 +                 int len, int rn, int imm)
  {
      int len_align = QEMU_ALIGN_DOWN(len, 8);
      int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          t0 = tcg_temp_new_i64();
          for (i = 0; i < len_align; i += 8) {
              tcg_gen_qemu_ld_i64(t0, clean_addr, midx, MO_LEUQ);
 -            tcg_gen_st_i64(t0, cpu_env, vofs + i);
 +            tcg_gen_st_i64(t0, base, vofs + i);
              tcg_gen_addi_i64(clean_addr, clean_addr, 8);
          }
-         tcg_temp_free_i64(t0);
-@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
-         clean_addr = new_tmp_a64_local(s);
-         tcg_gen_mov_i64(clean_addr, t0);
-+        if (base != cpu_env) {
-+            TCGv_ptr b = tcg_temp_local_new_ptr();
-+            tcg_gen_mov_ptr(b, base);
-+            base = b;
-+        }
-+
-         gen_set_label(loop);
-         t0 = tcg_temp_new_i64();
-@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
-         tcg_gen_addi_i64(clean_addr, clean_addr, 8);
-         tp = tcg_temp_new_ptr();
--        tcg_gen_add_ptr(tp, cpu_env, i);
-+        tcg_gen_add_ptr(tp, base, i);
-         tcg_gen_addi_ptr(i, i, 8);
-         tcg_gen_st_i64(t0, tp, vofs);
-         tcg_temp_free_ptr(tp);
-@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
-         tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
-         tcg_temp_free_ptr(i);
-+
-+        if (base != cpu_env) {
-+            tcg_temp_free_ptr(base);
-+            assert(len_remain == 0);
-+        }
      }
-     /*
+-    hcr_el2 = arm_hcr_el2_eff(env);
-@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
++    hcr_el2 = arm_hcr_el2_eff_secstate(env, is_secure);
-         default:
-             g_assert_not_reached();
+     switch (mmu_idx) {
      case ARMMMUIdx_Stage2:
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
              return ~0;
          }
--        tcg_gen_st_i64(t0, cpu_env, vofs + len_align);
-+        tcg_gen_st_i64(t0, base, vofs + len_align);
+-        hcr = arm_hcr_el2_eff(env);
-         tcg_temp_free_i64(t0);
++        hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-     }
+         if ((hcr & HCR_PTW) && ptw_attrs_are_device(hcr, s2.cacheattrs)) {
- }
+             /*
+              * PTW set and S1 walk touched S2 Device memory:
- /* Similarly for stores.  */
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
--static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+             }
-+void gen_sve_str(DisasContext *s, TCGv_ptr base, int vofs,
-+                 int len, int rn, int imm)
+             /* Combine the S1 and S2 cache attributes. */
- {
+-            hcr = arm_hcr_el2_eff(env);
-     int len_align = QEMU_ALIGN_DOWN(len, 8);
++            hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-     int len_remain = len % 8;
+             if (hcr & HCR_DC) {
-@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+                 /*
+                  * HCR.DC forces the first stage attributes to
-         t0 = tcg_temp_new_i64();
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
-         for (i = 0; i < len_align; i += 8) {
+         result->page_size = TARGET_PAGE_SIZE;
--            tcg_gen_ld_i64(t0, cpu_env, vofs + i);
-+            tcg_gen_ld_i64(t0, base, vofs + i);
+         /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
-             tcg_gen_qemu_st_i64(t0, clean_addr, midx, MO_LEUQ);
+-        hcr = arm_hcr_el2_eff(env);
-             tcg_gen_addi_i64(clean_addr, clean_addr, 8);
++        hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-         }
+         result->cacheattrs.shareability = 0;
-@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+         result->cacheattrs.is_s2_format = false;
-         clean_addr = new_tmp_a64_local(s);
+         if (hcr & HCR_DC) {
          tcg_gen_mov_i64(clean_addr, t0);
 +        if (base != cpu_env) {
 +            TCGv_ptr b = tcg_temp_local_new_ptr();
 +            tcg_gen_mov_ptr(b, base);
 +            base = b;
 +        }
 +
          gen_set_label(loop);
          t0 = tcg_temp_new_i64();
          tp = tcg_temp_new_ptr();
 -        tcg_gen_add_ptr(tp, cpu_env, i);
 +        tcg_gen_add_ptr(tp, base, i);
          tcg_gen_ld_i64(t0, tp, vofs);
          tcg_gen_addi_ptr(i, i, 8);
          tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
          tcg_temp_free_ptr(i);
 +
 +        if (base != cpu_env) {
 +            tcg_temp_free_ptr(base);
 +            assert(len_remain == 0);
 +        }
      }
      /* Predicate register stores can be any multiple of 2.  */
      if (len_remain) {
          t0 = tcg_temp_new_i64();
 -        tcg_gen_ld_i64(t0, cpu_env, vofs + len_align);
 +        tcg_gen_ld_i64(t0, base, vofs + len_align);
          switch (len_remain) {
          case 2:
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_zri(DisasContext *s, arg_rri *a)
      if (sve_access_check(s)) {
          int size = vec_full_reg_size(s);
          int off = vec_full_reg_offset(s, a->rd);
 -        do_ldr(s, off, size, a->rn, a->imm * size);
 +        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_pri(DisasContext *s, arg_rri *a)
      if (sve_access_check(s)) {
          int size = pred_full_reg_size(s);
          int off = pred_full_reg_offset(s, a->rd);
 -        do_ldr(s, off, size, a->rn, a->imm * size);
 +        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_zri(DisasContext *s, arg_rri *a)
      if (sve_access_check(s)) {
          int size = vec_full_reg_size(s);
          int off = vec_full_reg_offset(s, a->rd);
 -        do_str(s, off, size, a->rn, a->imm * size);
 +        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_pri(DisasContext *s, arg_rri *a)
      if (sve_access_check(s)) {
          int size = pred_full_reg_size(s);
          int off = pred_full_reg_offset(s, a->rd);
 -        do_str(s, off, size, a->rn, a->imm * size);
 +        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
 --
 .25.1

-[PULL 38/45] linux-user/aarch64: Verify extra record lock succeeded
+[PULL 22/28] target/arm: Split out get_phys_addr_disabled
 From: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-39-richard.henderson@linaro.org
+Message-id: 20221001162318.153420-19-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/signal.c | 3 +++
+ target/arm/ptw.c | 138 +++++++++++++++++++++++++----------------------
-file changed, 3 insertions(+)
+file changed, 74 insertions(+), 64 deletions(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/arm/ptw.c
-+++ b/linux-user/aarch64/signal.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(uint64_t hcr,
-             __get_user(extra_size,
+     return ret;
-                        &((struct target_extra_context *)ctx)->size);
+ }
-             extra = lock_user(VERIFY_READ, extra_datap, extra_size, 0);
-+            if (!extra) {
++/*
 + * MMU disabled.  S1 addresses within aa64 translation regimes are
 + * still checked for bounds -- see AArch64.S1DisabledOutput().
 + */
 +static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
 +                                   MMUAccessType access_type,
 +                                   ARMMMUIdx mmu_idx, bool is_secure,
 +                                   GetPhysAddrResult *result,
 +                                   ARMMMUFaultInfo *fi)
 +{
 +    uint64_t hcr;
 +    uint8_t memattr;
 +
 +    if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
 +        int r_el = regime_el(env, mmu_idx);
 +        if (arm_el_is_aa64(env, r_el)) {
 +            int pamax = arm_pamax(env_archcpu(env));
 +            uint64_t tcr = env->cp15.tcr_el[r_el];
 +            int addrtop, tbi;
 +
 +            tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
 +            if (access_type == MMU_INST_FETCH) {
 +                tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);
 +            }
 +            tbi = (tbi >> extract64(address, 55, 1)) & 1;
 +            addrtop = (tbi ? 55 : 63);
 +
 +            if (extract64(address, pamax, addrtop - pamax + 1) != 0) {
 +                fi->type = ARMFault_AddressSize;
 +                fi->level = 0;
 +                fi->stage2 = false;
 +                return 1;
 +            }
-             break;
++
++            /*
-         default:
++             * When TBI is disabled, we've just validated that all of the
 +             * bits above PAMax are zero, so logically we only need to
 +             * clear the top byte for TBI.  But it's clearer to follow
 +             * the pseudocode set of addrdesc.paddress.
 +             */
 +            address = extract64(address, 0, 52);
 +        }
 +    }
 +
 +    result->phys = address;
 +    result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 +    result->page_size = TARGET_PAGE_SIZE;
 +
 +    /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
 +    hcr = arm_hcr_el2_eff_secstate(env, is_secure);
 +    result->cacheattrs.shareability = 0;
 +    result->cacheattrs.is_s2_format = false;
 +    if (hcr & HCR_DC) {
 +        if (hcr & HCR_DCT) {
 +            memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
 +        } else {
 +            memattr = 0xff;  /* Normal, WB, RWA */
 +        }
 +    } else if (access_type == MMU_INST_FETCH) {
 +        if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
 +            memattr = 0xee;  /* Normal, WT, RA, NT */
 +        } else {
 +            memattr = 0x44;  /* Normal, NC, No */
 +        }
 +        result->cacheattrs.shareability = 2; /* outer sharable */
 +    } else {
 +        memattr = 0x00;      /* Device, nGnRnE */
 +    }
 +    result->cacheattrs.attrs = memattr;
 +    return 0;
 +}
 +
  bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                                 MMUAccessType access_type, ARMMMUIdx mmu_idx,
                                 bool is_secure, GetPhysAddrResult *result,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
      /* Definitely a real MMU, not an MPU */
      if (regime_translation_disabled(env, mmu_idx, is_secure)) {
 -        uint64_t hcr;
 -        uint8_t memattr;
 -
 -        /*
 -         * MMU disabled.  S1 addresses within aa64 translation regimes are
 -         * still checked for bounds -- see AArch64.TranslateAddressS1Off.
 -         */
 -        if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
 -            int r_el = regime_el(env, mmu_idx);
 -            if (arm_el_is_aa64(env, r_el)) {
 -                int pamax = arm_pamax(env_archcpu(env));
 -                uint64_t tcr = env->cp15.tcr_el[r_el];
 -                int addrtop, tbi;
 -
 -                tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
 -                if (access_type == MMU_INST_FETCH) {
 -                    tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);
 -                }
 -                tbi = (tbi >> extract64(address, 55, 1)) & 1;
 -                addrtop = (tbi ? 55 : 63);
 -
 -                if (extract64(address, pamax, addrtop - pamax + 1) != 0) {
 -                    fi->type = ARMFault_AddressSize;
 -                    fi->level = 0;
 -                    fi->stage2 = false;
 -                    return 1;
 -                }
 -
 -                /*
 -                 * When TBI is disabled, we've just validated that all of the
 -                 * bits above PAMax are zero, so logically we only need to
 -                 * clear the top byte for TBI.  But it's clearer to follow
 -                 * the pseudocode set of addrdesc.paddress.
 -                 */
 -                address = extract64(address, 0, 52);
 -            }
 -        }
 -        result->phys = address;
 -        result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 -        result->page_size = TARGET_PAGE_SIZE;
 -
 -        /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
 -        hcr = arm_hcr_el2_eff_secstate(env, is_secure);
 -        result->cacheattrs.shareability = 0;
 -        result->cacheattrs.is_s2_format = false;
 -        if (hcr & HCR_DC) {
 -            if (hcr & HCR_DCT) {
 -                memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
 -            } else {
 -                memattr = 0xff;  /* Normal, WB, RWA */
 -            }
 -        } else if (access_type == MMU_INST_FETCH) {
 -            if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
 -                memattr = 0xee;  /* Normal, WT, RA, NT */
 -            } else {
 -                memattr = 0x44;  /* Normal, NC, No */
 -            }
 -            result->cacheattrs.shareability = 2; /* outer sharable */
 -        } else {
 -            memattr = 0x00;      /* Device, nGnRnE */
 -        }
 -        result->cacheattrs.attrs = memattr;
 -        return 0;
 +        return get_phys_addr_disabled(env, address, access_type, mmu_idx,
 +                                      is_secure, result, fi);
      }
 -
      if (regime_using_lpae_format(env, mmu_idx)) {
          return get_phys_addr_lpae(env, address, access_type, mmu_idx,
                                    is_secure, false, result, fi);
 --
 .25.1

-[PULL 23/45] target/arm: Implement SME ADDHA, ADDVA
+[PULL 23/28] target/arm: Fix cacheattr in get_phys_addr_disabled
 From: Richard Henderson <richard.henderson@linaro.org>
+Do not apply memattr or shareability for Stage2 translations.
+Make sure to apply HCR_{DC,DCT} only to Regime_EL10, per the
+pseudocode in AArch64.S1DisabledOutput.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221001162318.153420-20-richard.henderson@linaro.org
 Message-id: 20220708151540.18136-24-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper-sme.h    |  5 +++
+ target/arm/ptw.c | 48 +++++++++++++++++++++++++-----------------------
- target/arm/sme.decode      | 11 +++++
+file changed, 25 insertions(+), 23 deletions(-)
  target/arm/sme_helper.c    | 90 ++++++++++++++++++++++++++++++++++++++
  target/arm/translate-sme.c | 31 +++++++++++++
 files changed, 137 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper-sme.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
- DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+                                    GetPhysAddrResult *result,
- DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+                                    ARMMMUFaultInfo *fi)
- DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+ {
 -    uint64_t hcr;
 -    uint8_t memattr;
 +    uint8_t memattr = 0x00;    /* Device nGnRnE */
 +    uint8_t shareability = 0;  /* non-sharable */
      if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
          int r_el = regime_el(env, mmu_idx);
 +
-+DEF_HELPER_FLAGS_5(sme_addha_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+         if (arm_el_is_aa64(env, r_el)) {
-+DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+             int pamax = arm_pamax(env_archcpu(env));
-+DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+             uint64_t tcr = env->cp15.tcr_el[r_el];
-+DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
+              */
-index XXXXXXX..XXXXXXX 100644
+             address = extract64(address, 0, 52);
---- a/target/arm/sme.decode
+         }
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
  LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
  STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
 +
-+### SME Add Vector to Array
++        /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
-+
++        if (r_el == 1) {
-+&adda           zad zn pm pn
++            uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-+@adda_32        ........ .. ..... . pm:3 pn:3 zn:5 ... zad:2    &adda
++            if (hcr & HCR_DC) {
-+@adda_64        ........ .. ..... . pm:3 pn:3 zn:5 ..  zad:3    &adda
++                if (hcr & HCR_DCT) {
-+
++                    memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
-+ADDHA_s         11000000 10 01000 0 ... ... ..... 000 ..        @adda_32
++                } else {
-+ADDVA_s         11000000 10 01000 1 ... ... ..... 000 ..        @adda_32
++                    memattr = 0xff;  /* Normal, WB, RWA */
 +ADDHA_d         11000000 11 01000 0 ... ... ..... 00 ...        @adda_64
 +ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@ DO_ST(q, _be, MO_128)
  DO_ST(q, _le, MO_128)
  #undef DO_ST
 +
 +void HELPER(sme_addha_s)(void *vzda, void *vzn, void *vpn,
 +                         void *vpm, uint32_t desc)
 +{
 +    intptr_t row, col, oprsz = simd_oprsz(desc) / 4;
 +    uint64_t *pn = vpn, *pm = vpm;
 +    uint32_t *zda = vzda, *zn = vzn;
 +
 +    for (row = 0; row < oprsz; ) {
 +        uint64_t pa = pn[row >> 4];
 +        do {
 +            if (pa & 1) {
 +                for (col = 0; col < oprsz; ) {
 +                    uint64_t pb = pm[col >> 4];
 +                    do {
 +                        if (pb & 1) {
 +                            zda[tile_vslice_index(row) + H4(col)] += zn[H4(col)];
 +                        }
 +                        pb >>= 4;
 +                    } while (++col & 15);
 +                }
 +            }
 +            pa >>= 4;
 +        } while (++row & 15);
 +    }
 +}
 +
 +void HELPER(sme_addha_d)(void *vzda, void *vzn, void *vpn,
 +                         void *vpm, uint32_t desc)
 +{
 +    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
 +    uint8_t *pn = vpn, *pm = vpm;
 +    uint64_t *zda = vzda, *zn = vzn;
 +
 +    for (row = 0; row < oprsz; ++row) {
 +        if (pn[H1(row)] & 1) {
 +            for (col = 0; col < oprsz; ++col) {
 +                if (pm[H1(col)] & 1) {
 +                    zda[tile_vslice_index(row) + col] += zn[col];
 +                }
 +            }
 +        }
-+    }
++        if (memattr == 0 && access_type == MMU_INST_FETCH) {
-+}
++            if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
-+
++                memattr = 0xee;  /* Normal, WT, RA, NT */
-+void HELPER(sme_addva_s)(void *vzda, void *vzn, void *vpn,
++            } else {
-+                         void *vpm, uint32_t desc)
++                memattr = 0x44;  /* Normal, NC, No */
 +{
 +    intptr_t row, col, oprsz = simd_oprsz(desc) / 4;
 +    uint64_t *pn = vpn, *pm = vpm;
 +    uint32_t *zda = vzda, *zn = vzn;
 +
 +    for (row = 0; row < oprsz; ) {
 +        uint64_t pa = pn[row >> 4];
 +        do {
 +            if (pa & 1) {
 +                uint32_t zn_row = zn[H4(row)];
 +                for (col = 0; col < oprsz; ) {
 +                    uint64_t pb = pm[col >> 4];
 +                    do {
 +                        if (pb & 1) {
 +                            zda[tile_vslice_index(row) + H4(col)] += zn_row;
 +                        }
 +                        pb >>= 4;
 +                    } while (++col & 15);
 +                }
 +            }
-+            pa >>= 4;
++            shareability = 2; /* outer sharable */
 +        } while (++row & 15);
 +    }
 +}
 +
 +void HELPER(sme_addva_d)(void *vzda, void *vzn, void *vpn,
 +                         void *vpm, uint32_t desc)
 +{
 +    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
 +    uint8_t *pn = vpn, *pm = vpm;
 +    uint64_t *zda = vzda, *zn = vzn;
 +
 +    for (row = 0; row < oprsz; ++row) {
 +        if (pn[H1(row)] & 1) {
 +            uint64_t zn_row = zn[row];
 +            for (col = 0; col < oprsz; ++col) {
 +                if (pm[H1(col)] & 1) {
 +                    zda[tile_vslice_index(row) + col] += zn_row;
 +                }
 +            }
 +        }
-+    }
++        result->cacheattrs.is_s2_format = false;
-+}
+     }
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
+     result->phys = address;
---- a/target/arm/translate-sme.c
+     result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-+++ b/target/arm/translate-sme.c
+     result->page_size = TARGET_PAGE_SIZE;
-@@ -XXX,XX +XXX,XX @@ static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
+-
+-    /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
- TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
+-    hcr = arm_hcr_el2_eff_secstate(env, is_secure);
- TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
+-    result->cacheattrs.shareability = 0;
-+
+-    result->cacheattrs.is_s2_format = false;
-+static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,
+-    if (hcr & HCR_DC) {
-+                    gen_helper_gvec_4 *fn)
+-        if (hcr & HCR_DCT) {
-+{
+-            memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
-+    int svl = streaming_vec_reg_size(s);
+-        } else {
-+    uint32_t desc = simd_desc(svl, svl, 0);
+-            memattr = 0xff;  /* Normal, WB, RWA */
-+    TCGv_ptr za, zn, pn, pm;
+-        }
-+
+-    } else if (access_type == MMU_INST_FETCH) {
-+    if (!sme_smza_enabled_check(s)) {
+-        if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
-+        return true;
+-            memattr = 0xee;  /* Normal, WT, RA, NT */
-+    }
+-        } else {
-+
+-            memattr = 0x44;  /* Normal, NC, No */
-+    /* Sum XZR+zad to find ZAd. */
+-        }
-+    za = get_tile_rowcol(s, esz, 31, a->zad, false);
+-        result->cacheattrs.shareability = 2; /* outer sharable */
-+    zn = vec_full_reg_ptr(s, a->zn);
+-    } else {
-+    pn = pred_full_reg_ptr(s, a->pn);
+-        memattr = 0x00;      /* Device, nGnRnE */
-+    pm = pred_full_reg_ptr(s, a->pm);
+-    }
-+
++    result->cacheattrs.shareability = shareability;
-+    fn(za, zn, pn, pm, tcg_constant_i32(desc));
+     result->cacheattrs.attrs = memattr;
-+
+     return 0;
-+    tcg_temp_free_ptr(za);
+ }
 +    tcg_temp_free_ptr(zn);
 +    tcg_temp_free_ptr(pn);
 +    tcg_temp_free_ptr(pm);
 +    return true;
 +}
 +
 +TRANS_FEAT(ADDHA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addha_s)
 +TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
 +TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
 +TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
 --
 .25.1

-[PULL 08/45] target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
+[PULL 24/28] target/arm: Use tlb_set_page_full
 From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
+Adjust GetPhysAddrResult to fill in CPUTLBEntryFull,
-if full a64 support is not enabled in streaming mode.
+so that it may be passed directly to tlb_set_page_full.
+The change is large, but mostly mechanical.  The major
+non-mechanical change is page_size -> lg_page_size.
+Most of the time this is obvious, and is related to
+TARGET_PAGE_BITS.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221001162318.153420-21-richard.henderson@linaro.org
 Message-id: 20220708151540.18136-9-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sme-fa64.decode |  3 ---
+ target/arm/internals.h  |   5 +-
- target/arm/translate-sve.c | 15 +++++++++++----
+ target/arm/helper.c     |  12 +--
-files changed, 11 insertions(+), 7 deletions(-)
+ target/arm/m_helper.c   |  20 ++---
  target/arm/ptw.c        | 179 ++++++++++++++++++++--------------------
  target/arm/tlb_helper.c |   9 +-
 files changed, 111 insertions(+), 114 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
+--- a/target/arm/internals.h
-+++ b/target/arm/sme-fa64.decode
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+@@ -XXX,XX +XXX,XX @@ typedef struct ARMCacheAttrs {
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+ /* Fields that are valid upon success. */
+ typedef struct GetPhysAddrResult {
--FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
+-    hwaddr phys;
--FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
+-    target_ulong page_size;
--FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
+-    int prot;
- FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
+-    MemTxAttrs attrs;
- FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
++    CPUTLBEntryFull f;
- FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+     ARMCacheAttrs cacheattrs;
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+ } GetPhysAddrResult;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
+--- a/target/arm/helper.c
-+++ b/target/arm/translate-sve.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3_ptr * const ftmad_fns[4] = {
+@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-     NULL,                   gen_helper_sve_ftmad_h,
+         /* Create a 64-bit PAR */
-     gen_helper_sve_ftmad_s, gen_helper_sve_ftmad_d,
+         par64 = (1 << 11); /* LPAE bit always set */
- };
+         if (!ret) {
--TRANS_FEAT(FTMAD, aa64_sve, gen_gvec_fpst_zzz,
+-            par64 |= res.phys & ~0xfffULL;
--           ftmad_fns[a->esz], a->rd, a->rn, a->rm, a->imm,
+-            if (!res.attrs.secure) {
--           a->esz == MO_16 ? FPST_FPCR_F16 : FPST_FPCR)
++            par64 |= res.f.phys_addr & ~0xfffULL;
-+TRANS_FEAT_NONSTREAMING(FTMAD, aa64_sve, gen_gvec_fpst_zzz,
++            if (!res.f.attrs.secure) {
-+                        ftmad_fns[a->esz], a->rd, a->rn, a->rm, a->imm,
+                 par64 |= (1 << 9); /* NS */
-+                        a->esz == MO_16 ? FPST_FPCR_F16 : FPST_FPCR)
+             }
+             par64 |= (uint64_t)res.cacheattrs.attrs << 56; /* ATTR */
- /*
+@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-  *** SVE Floating Point Accumulating Reduction Group
+          */
-@@ -XXX,XX +XXX,XX @@ static bool trans_FADDA(DisasContext *s, arg_rprr_esz *a)
+         if (!ret) {
-     if (a->esz == 0 || !dc_isar_feature(aa64_sve, s)) {
+             /* We do not set any attribute bits in the PAR */
 -            if (res.page_size == (1 << 24)
 +            if (res.f.lg_page_size == 24
                  && arm_feature(env, ARM_FEATURE_V7)) {
 -                par64 = (res.phys & 0xff000000) | (1 << 1);
 +                par64 = (res.f.phys_addr & 0xff000000) | (1 << 1);
              } else {
 -                par64 = res.phys & 0xfffff000;
 +                par64 = res.f.phys_addr & 0xfffff000;
              }
 -            if (!res.attrs.secure) {
 +            if (!res.f.attrs.secure) {
                  par64 |= (1 << 9); /* NS */
              }
          } else {
 diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/m_helper.c
 +++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
          }
          goto pend_fault;
      }
 -    address_space_stl_le(arm_addressspace(cs, res.attrs), res.phys, value,
 -                         res.attrs, &txres);
 +    address_space_stl_le(arm_addressspace(cs, res.f.attrs), res.f.phys_addr,
 +                         value, res.f.attrs, &txres);
      if (txres != MEMTX_OK) {
          /* BusFault trying to write the data */
          if (mode == STACK_LAZYFP) {
@@ -XXX,XX +XXX,XX @@ static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
          goto pend_fault;
      }
 -    value = address_space_ldl(arm_addressspace(cs, res.attrs), res.phys,
 -                              res.attrs, &txres);
 +    value = address_space_ldl(arm_addressspace(cs, res.f.attrs),
 +                              res.f.phys_addr, res.f.attrs, &txres);
      if (txres != MEMTX_OK) {
          /* BusFault trying to read the data */
          qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.UNSTKERR\n");
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool secure,
          qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
          return false;
      }
-+    s->is_nonstreaming = true;
+-    *insn = address_space_lduw_le(arm_addressspace(cs, res.attrs), res.phys,
-     if (!sve_access_check(s)) {
+-                                  res.attrs, &txres);
 +    *insn = address_space_lduw_le(arm_addressspace(cs, res.f.attrs),
 +                                  res.f.phys_addr, res.f.attrs, &txres);
      if (txres != MEMTX_OK) {
          env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
          armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_sg_stack_word(ARMCPU *cpu, ARMMMUIdx mmu_idx,
          }
          return false;
      }
 -    value = address_space_ldl(arm_addressspace(cs, res.attrs), res.phys,
 -                              res.attrs, &txres);
 +    value = address_space_ldl(arm_addressspace(cs, res.f.attrs),
 +                              res.f.phys_addr, res.f.attrs, &txres);
      if (txres != MEMTX_OK) {
          /* BusFault trying to read the data */
          qemu_log_mask(CPU_LOG_INT,
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
          } else {
              mrvalid = true;
          }
 -        r = res.prot & PAGE_READ;
 -        rw = res.prot & PAGE_WRITE;
 +        r = res.f.prot & PAGE_READ;
 +        rw = res.f.prot & PAGE_WRITE;
      } else {
          r = false;
          rw = false;
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/ptw.c
 +++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
              assert(!is_secure);
          }
 -        addr = s2.phys;
 +        addr = s2.f.phys_addr;
      }
      return addr;
  }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
          /* 1Mb section.  */
          phys_addr = (desc & 0xfff00000) | (address & 0x000fffff);
          ap = (desc >> 10) & 3;
 -        result->page_size = 1024 * 1024;
 +        result->f.lg_page_size = 20; /* 1MB */
      } else {
          /* Lookup l2 entry.  */
          if (type == 1) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
          case 1: /* 64k page.  */
              phys_addr = (desc & 0xffff0000) | (address & 0xffff);
              ap = (desc >> (4 + ((address >> 13) & 6))) & 3;
 -            result->page_size = 0x10000;
 +            result->f.lg_page_size = 16;
              break;
          case 2: /* 4k page.  */
              phys_addr = (desc & 0xfffff000) | (address & 0xfff);
              ap = (desc >> (4 + ((address >> 9) & 6))) & 3;
 -            result->page_size = 0x1000;
 +            result->f.lg_page_size = 12;
              break;
          case 3: /* 1k page, or ARMv6/XScale "extended small (4k) page" */
              if (type == 1) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
                  if (arm_feature(env, ARM_FEATURE_XSCALE)
                      || arm_feature(env, ARM_FEATURE_V6)) {
                      phys_addr = (desc & 0xfffff000) | (address & 0xfff);
 -                    result->page_size = 0x1000;
 +                    result->f.lg_page_size = 12;
                  } else {
                      /*
                       * UNPREDICTABLE in ARMv5; we choose to take a
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
                  }
              } else {
                  phys_addr = (desc & 0xfffffc00) | (address & 0x3ff);
 -                result->page_size = 0x400;
 +                result->f.lg_page_size = 10;
              }
              ap = (desc >> 4) & 3;
              break;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
              g_assert_not_reached();
          }
      }
 -    result->prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
 -    result->prot |= result->prot ? PAGE_EXEC : 0;
 -    if (!(result->prot & (1 << access_type))) {
 +    result->f.prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
 +    result->f.prot |= result->f.prot ? PAGE_EXEC : 0;
 +    if (!(result->f.prot & (1 << access_type))) {
          /* Access permission fault.  */
          fi->type = ARMFault_Permission;
          goto do_fault;
      }
 -    result->phys = phys_addr;
 +    result->f.phys_addr = phys_addr;
      return false;
  do_fault:
      fi->domain = domain;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
              phys_addr = (desc & 0xff000000) | (address & 0x00ffffff);
              phys_addr |= (uint64_t)extract32(desc, 20, 4) << 32;
              phys_addr |= (uint64_t)extract32(desc, 5, 4) << 36;
 -            result->page_size = 0x1000000;
 +            result->f.lg_page_size = 24;  /* 16MB */
          } else {
              /* Section.  */
              phys_addr = (desc & 0xfff00000) | (address & 0x000fffff);
 -            result->page_size = 0x100000;
 +            result->f.lg_page_size = 20;  /* 1MB */
          }
          ap = ((desc >> 10) & 3) | ((desc >> 13) & 4);
          xn = desc & (1 << 4);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
          case 1: /* 64k page.  */
              phys_addr = (desc & 0xffff0000) | (address & 0xffff);
              xn = desc & (1 << 15);
 -            result->page_size = 0x10000;
 +            result->f.lg_page_size = 16;
              break;
          case 2: case 3: /* 4k page.  */
              phys_addr = (desc & 0xfffff000) | (address & 0xfff);
              xn = desc & 1;
 -            result->page_size = 0x1000;
 +            result->f.lg_page_size = 12;
              break;
          default:
              /* Never happens, but compiler isn't smart enough to tell.  */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
          }
      }
      if (domain_prot == 3) {
 -        result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 +        result->f.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
      } else {
          if (pxn && !regime_is_user(env, mmu_idx)) {
              xn = 1;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
                  fi->type = ARMFault_AccessFlag;
                  goto do_fault;
              }
 -            result->prot = simple_ap_to_rw_prot(env, mmu_idx, ap >> 1);
 +            result->f.prot = simple_ap_to_rw_prot(env, mmu_idx, ap >> 1);
          } else {
 -            result->prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
 +            result->f.prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
          }
 -        if (result->prot && !xn) {
 -            result->prot |= PAGE_EXEC;
 +        if (result->f.prot && !xn) {
 +            result->f.prot |= PAGE_EXEC;
          }
 -        if (!(result->prot & (1 << access_type))) {
 +        if (!(result->f.prot & (1 << access_type))) {
              /* Access permission fault.  */
              fi->type = ARMFault_Permission;
              goto do_fault;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
           * the CPU doesn't support TZ or this is a non-secure translation
           * regime, because the attribute will already be non-secure.
           */
 -        result->attrs.secure = false;
 +        result->f.attrs.secure = false;
      }
 -    result->phys = phys_addr;
 +    result->f.phys_addr = phys_addr;
      return false;
  do_fault:
      fi->domain = domain;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
      if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
          ns = mmu_idx == ARMMMUIdx_Stage2;
          xn = extract32(attrs, 11, 2);
 -        result->prot = get_S2prot(env, ap, xn, s1_is_el0);
 +        result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
      } else {
          ns = extract32(attrs, 3, 1);
          xn = extract32(attrs, 12, 1);
          pxn = extract32(attrs, 11, 1);
 -        result->prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
 +        result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
      }
      fault_type = ARMFault_Permission;
 -    if (!(result->prot & (1 << access_type))) {
 +    if (!(result->f.prot & (1 << access_type))) {
          goto do_fault;
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
           * the CPU doesn't support TZ or this is a non-secure translation
           * regime, because the attribute will already be non-secure.
           */
 -        result->attrs.secure = false;
 +        result->f.attrs.secure = false;
      }
      /* When in aarch64 mode, and BTI is enabled, remember GP in the IOTLB.  */
      if (aarch64 && guarded && cpu_isar_feature(aa64_bti, cpu)) {
 -        arm_tlb_bti_gp(&result->attrs) = true;
 +        arm_tlb_bti_gp(&result->f.attrs) = true;
      }
      if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          result->cacheattrs.shareability = extract32(attrs, 6, 2);
      }
 -    result->phys = descaddr;
 -    result->page_size = page_size;
 +    result->f.phys_addr = descaddr;
 +    result->f.lg_page_size = ctz64(page_size);
      return false;
  do_fault:
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
      if (regime_translation_disabled(env, mmu_idx, is_secure)) {
          /* MPU disabled.  */
 -        result->phys = address;
 -        result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 +        result->f.phys_addr = address;
 +        result->f.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
          return false;
      }
 -    result->phys = address;
 +    result->f.phys_addr = address;
      for (n = 7; n >= 0; n--) {
          base = env->cp15.c6_region[n];
          if ((base & 1) == 0) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
              fi->level = 1;
              return true;
          }
 -        result->prot = PAGE_READ | PAGE_WRITE;
 +        result->f.prot = PAGE_READ | PAGE_WRITE;
          break;
      case 2:
 -        result->prot = PAGE_READ;
 +        result->f.prot = PAGE_READ;
          if (!is_user) {
 -            result->prot |= PAGE_WRITE;
 +            result->f.prot |= PAGE_WRITE;
          }
          break;
      case 3:
 -        result->prot = PAGE_READ | PAGE_WRITE;
 +        result->f.prot = PAGE_READ | PAGE_WRITE;
          break;
      case 5:
          if (is_user) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
              fi->level = 1;
              return true;
          }
 -        result->prot = PAGE_READ;
 +        result->f.prot = PAGE_READ;
          break;
      case 6:
 -        result->prot = PAGE_READ;
 +        result->f.prot = PAGE_READ;
          break;
      default:
          /* Bad permission.  */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
          fi->level = 1;
          return true;
      }
-@@ -XXX,XX +XXX,XX @@ static bool trans_FADDA(DisasContext *s, arg_rprr_esz *a)
+-    result->prot |= PAGE_EXEC;
- DO_FP3(FADD_zzz, fadd)
++    result->f.prot |= PAGE_EXEC;
- DO_FP3(FSUB_zzz, fsub)
+     return false;
- DO_FP3(FMUL_zzz, fmul)
+ }
--DO_FP3(FTSMUL, ftsmul)
- DO_FP3(FRECPS, recps)
+ static void get_phys_addr_pmsav7_default(CPUARMState *env, ARMMMUIdx mmu_idx,
- DO_FP3(FRSQRTS, rsqrts)
+-                                         int32_t address, int *prot)
++                                         int32_t address, uint8_t *prot)
- #undef DO_FP3
+ {
+     if (!arm_feature(env, ARM_FEATURE_M)) {
-+static gen_helper_gvec_3_ptr * const ftsmul_fns[4] = {
+         *prot = PAGE_READ | PAGE_WRITE;
-+    NULL,                     gen_helper_gvec_ftsmul_h,
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
-+    gen_helper_gvec_ftsmul_s, gen_helper_gvec_ftsmul_d
+     int n;
-+};
+     bool is_user = regime_is_user(env, mmu_idx);
-+TRANS_FEAT_NONSTREAMING(FTSMUL, aa64_sve, gen_gvec_fpst_arg_zzz,
-+                        ftsmul_fns[a->esz], a, 0)
+-    result->phys = address;
-+
+-    result->page_size = TARGET_PAGE_SIZE;
- /*
+-    result->prot = 0;
-  *** SVE Floating Point Arithmetic - Predicated Group
++    result->f.phys_addr = address;
-  */
++    result->f.lg_page_size = TARGET_PAGE_BITS;
 +    result->f.prot = 0;
      if (regime_translation_disabled(env, mmu_idx, secure) ||
          m_is_ppb_region(env, address)) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
           * which always does a direct read using address_space_ldl(), rather
           * than going via this function, so we don't need to check that here.
           */
 -        get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->prot);
 +        get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->f.prot);
      } else { /* MPU enabled */
          for (n = (int)cpu->pmsav7_dregion - 1; n >= 0; n--) {
              /* region search */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                  if (ranges_overlap(base, rmask,
                                     address & TARGET_PAGE_MASK,
                                     TARGET_PAGE_SIZE)) {
 -                    result->page_size = 1;
 +                    result->f.lg_page_size = 0;
                  }
                  continue;
              }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                  continue;
              }
              if (rsize < TARGET_PAGE_BITS) {
 -                result->page_size = 1 << rsize;
 +                result->f.lg_page_size = rsize;
              }
              break;
          }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                  fi->type = ARMFault_Background;
                  return true;
              }
 -            get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->prot);
 +            get_phys_addr_pmsav7_default(env, mmu_idx, address,
 +                                         &result->f.prot);
          } else { /* a MPU hit! */
              uint32_t ap = extract32(env->pmsav7.dracr[n], 8, 3);
              uint32_t xn = extract32(env->pmsav7.dracr[n], 12, 1);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                  case 5:
                      break; /* no access */
                  case 3:
 -                    result->prot |= PAGE_WRITE;
 +                    result->f.prot |= PAGE_WRITE;
                      /* fall through */
                  case 2:
                  case 6:
 -                    result->prot |= PAGE_READ | PAGE_EXEC;
 +                    result->f.prot |= PAGE_READ | PAGE_EXEC;
                      break;
                  case 7:
                      /* for v7M, same as 6; for R profile a reserved value */
                      if (arm_feature(env, ARM_FEATURE_M)) {
 -                        result->prot |= PAGE_READ | PAGE_EXEC;
 +                        result->f.prot |= PAGE_READ | PAGE_EXEC;
                          break;
                      }
                      /* fall through */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                  case 1:
                  case 2:
                  case 3:
 -                    result->prot |= PAGE_WRITE;
 +                    result->f.prot |= PAGE_WRITE;
                      /* fall through */
                  case 5:
                  case 6:
 -                    result->prot |= PAGE_READ | PAGE_EXEC;
 +                    result->f.prot |= PAGE_READ | PAGE_EXEC;
                      break;
                  case 7:
                      /* for v7M, same as 6; for R profile a reserved value */
                      if (arm_feature(env, ARM_FEATURE_M)) {
 -                        result->prot |= PAGE_READ | PAGE_EXEC;
 +                        result->f.prot |= PAGE_READ | PAGE_EXEC;
                          break;
                      }
                      /* fall through */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
              /* execute never */
              if (xn) {
 -                result->prot &= ~PAGE_EXEC;
 +                result->f.prot &= ~PAGE_EXEC;
              }
          }
      }
      fi->type = ARMFault_Permission;
      fi->level = 1;
 -    return !(result->prot & (1 << access_type));
 +    return !(result->f.prot & (1 << access_type));
  }
  bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
      uint32_t addr_page_base = address & TARGET_PAGE_MASK;
      uint32_t addr_page_limit = addr_page_base + (TARGET_PAGE_SIZE - 1);
 -    result->page_size = TARGET_PAGE_SIZE;
 -    result->phys = address;
 -    result->prot = 0;
 +    result->f.lg_page_size = TARGET_PAGE_BITS;
 +    result->f.phys_addr = address;
 +    result->f.prot = 0;
      if (mregion) {
          *mregion = -1;
      }
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
                      ranges_overlap(base, limit - base + 1,
                                     addr_page_base,
                                     TARGET_PAGE_SIZE)) {
 -                    result->page_size = 1;
 +                    result->f.lg_page_size = 0;
                  }
                  continue;
              }
              if (base > addr_page_base || limit < addr_page_limit) {
 -                result->page_size = 1;
 +                result->f.lg_page_size = 0;
              }
              if (matchregion != -1) {
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
      if (matchregion == -1) {
          /* hit using the background region */
 -        get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->prot);
 +        get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->f.prot);
      } else {
          uint32_t ap = extract32(env->pmsav8.rbar[secure][matchregion], 1, 2);
          uint32_t xn = extract32(env->pmsav8.rbar[secure][matchregion], 0, 1);
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
              xn = 1;
          }
 -        result->prot = simple_ap_to_rw_prot(env, mmu_idx, ap);
 -        if (result->prot && !xn && !(pxn && !is_user)) {
 -            result->prot |= PAGE_EXEC;
 +        result->f.prot = simple_ap_to_rw_prot(env, mmu_idx, ap);
 +        if (result->f.prot && !xn && !(pxn && !is_user)) {
 +            result->f.prot |= PAGE_EXEC;
          }
          /*
           * We don't need to look the attribute up in the MAIR0/MAIR1
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
      fi->type = ARMFault_Permission;
      fi->level = 1;
 -    return !(result->prot & (1 << access_type));
 +    return !(result->f.prot & (1 << access_type));
  }
  static bool v8m_is_sau_exempt(CPUARMState *env,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
                  } else {
                      fi->type = ARMFault_QEMU_SFault;
                  }
 -                result->page_size = sattrs.subpage ? 1 : TARGET_PAGE_SIZE;
 -                result->phys = address;
 -                result->prot = 0;
 +                result->f.lg_page_size = sattrs.subpage ? 0 : TARGET_PAGE_BITS;
 +                result->f.phys_addr = address;
 +                result->f.prot = 0;
                  return true;
              }
          } else {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
               * might downgrade a secure access to nonsecure.
               */
              if (sattrs.ns) {
 -                result->attrs.secure = false;
 +                result->f.attrs.secure = false;
              } else if (!secure) {
                  /*
                   * NS access to S memory must fault.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
                   * for M_FAKE_FSR_SFAULT in arm_v7m_cpu_do_interrupt().
                   */
                  fi->type = ARMFault_QEMU_SFault;
 -                result->page_size = sattrs.subpage ? 1 : TARGET_PAGE_SIZE;
 -                result->phys = address;
 -                result->prot = 0;
 +                result->f.lg_page_size = sattrs.subpage ? 0 : TARGET_PAGE_BITS;
 +                result->f.phys_addr = address;
 +                result->f.prot = 0;
                  return true;
              }
          }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
      ret = pmsav8_mpu_lookup(env, address, access_type, mmu_idx, secure,
                              result, fi, NULL);
      if (sattrs.subpage) {
 -        result->page_size = 1;
 +        result->f.lg_page_size = 0;
      }
      return ret;
  }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
          result->cacheattrs.is_s2_format = false;
      }
 -    result->phys = address;
 -    result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 -    result->page_size = TARGET_PAGE_SIZE;
 +    result->f.phys_addr = address;
 +    result->f.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 +    result->f.lg_page_size = TARGET_PAGE_BITS;
      result->cacheattrs.shareability = shareability;
      result->cacheattrs.attrs = memattr;
      return 0;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                  return ret;
              }
 -            ipa = result->phys;
 -            ipa_secure = result->attrs.secure;
 +            ipa = result->f.phys_addr;
 +            ipa_secure = result->f.attrs.secure;
              if (is_secure) {
                  /* Select TCR based on the NS bit from the S1 walk. */
                  s2walk_secure = !(ipa_secure
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
               * Save the stage1 results so that we may merge
               * prot and cacheattrs later.
               */
 -            s1_prot = result->prot;
 +            s1_prot = result->f.prot;
              cacheattrs1 = result->cacheattrs;
              memset(result, 0, sizeof(*result));
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
              fi->s2addr = ipa;
              /* Combine the S1 and S2 perms.  */
 -            result->prot &= s1_prot;
 +            result->f.prot &= s1_prot;
              /* If S2 fails, return early.  */
              if (ret) {
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
               * Check if IPA translates to secure or non-secure PA space.
               * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
               */
 -            result->attrs.secure =
 +            result->f.attrs.secure =
                  (is_secure
                   && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
                   && (ipa_secure
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
       * cannot upgrade an non-secure translation regime's attributes
       * to secure.
       */
 -    result->attrs.secure = is_secure;
 -    result->attrs.user = regime_is_user(env, mmu_idx);
 +    result->f.attrs.secure = is_secure;
 +    result->f.attrs.user = regime_is_user(env, mmu_idx);
      /*
       * Fast Context Switch Extension. This doesn't exist at all in v8.
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
      if (arm_feature(env, ARM_FEATURE_PMSA)) {
          bool ret;
 -        result->page_size = TARGET_PAGE_SIZE;
 +        result->f.lg_page_size = TARGET_PAGE_BITS;
          if (arm_feature(env, ARM_FEATURE_V8)) {
              /* PMSAv8 */
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                        (access_type == MMU_DATA_STORE ? "writing" : "execute"),
                        (uint32_t)address, mmu_idx,
                        ret ? "Miss" : "Hit",
 -                      result->prot & PAGE_READ ? 'r' : '-',
 -                      result->prot & PAGE_WRITE ? 'w' : '-',
 -                      result->prot & PAGE_EXEC ? 'x' : '-');
 +                      result->f.prot & PAGE_READ ? 'r' : '-',
 +                      result->f.prot & PAGE_WRITE ? 'w' : '-',
 +                      result->f.prot & PAGE_EXEC ? 'x' : '-');
          return ret;
      }
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
      bool ret;
      ret = get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &res, &fi);
 -    *attrs = res.attrs;
 +    *attrs = res.f.attrs;
      if (ret) {
          return -1;
      }
 -    return res.phys;
 +    return res.f.phys_addr;
  }
 diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tlb_helper.c
 +++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
           * target page size are handled specially, so for those we
           * pass in the exact addresses.
           */
 -        if (res.page_size >= TARGET_PAGE_SIZE) {
 -            res.phys &= TARGET_PAGE_MASK;
 +        if (res.f.lg_page_size >= TARGET_PAGE_BITS) {
 +            res.f.phys_addr &= TARGET_PAGE_MASK;
              address &= TARGET_PAGE_MASK;
          }
          /* Notice and record tagged memory. */
          if (cpu_isar_feature(aa64_mte, cpu) && res.cacheattrs.attrs == 0xf0) {
 -            arm_tlb_mte_tagged(&res.attrs) = true;
 +            arm_tlb_mte_tagged(&res.f.attrs) = true;
          }
 -        tlb_set_page_with_attrs(cs, address, res.phys, res.attrs,
 -                                res.prot, mmu_idx, res.page_size);
 +        tlb_set_page_full(cs, mmu_idx, address, &res.f);
          return true;
      } else if (probe) {
          return false;
 --
 .25.1

-[PULL 09/45] target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-10-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  1 -
- target/arm/translate-sve.c | 12 ++++++------
-files changed, 6 insertions(+), 7 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
- FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
- FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
- FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(FMLALT_zzxw, aa64_sve2, do_FMLAL_zzxw, a, false, true)
- TRANS_FEAT(FMLSLB_zzxw, aa64_sve2, do_FMLAL_zzxw, a, true, false)
- TRANS_FEAT(FMLSLT_zzxw, aa64_sve2, do_FMLAL_zzxw, a, true, true)
--TRANS_FEAT(SMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
--           gen_helper_gvec_smmla_b, a, 0)
--TRANS_FEAT(USMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
--           gen_helper_gvec_usmmla_b, a, 0)
--TRANS_FEAT(UMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
--           gen_helper_gvec_ummla_b, a, 0)
-+TRANS_FEAT_NONSTREAMING(SMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
-+                        gen_helper_gvec_smmla_b, a, 0)
-+TRANS_FEAT_NONSTREAMING(USMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
-+                        gen_helper_gvec_usmmla_b, a, 0)
-+TRANS_FEAT_NONSTREAMING(UMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
-+                        gen_helper_gvec_ummla_b, a, 0)
- TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
-            gen_helper_gvec_bfdot, a, 0)
---
-.25.1

-[PULL 10/45] target/arm: Mark string/histo/crypto as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-11-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  1 -
- target/arm/translate-sve.c | 35 ++++++++++++++++++-----------------
-files changed, 18 insertions(+), 18 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
- FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
- FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
- FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ DO_SVE2_ZZZ_NARROW(RSUBHNT, rsubhnt)
- static gen_helper_gvec_flags_4 * const match_fns[4] = {
-     gen_helper_sve2_match_ppzz_b, gen_helper_sve2_match_ppzz_h, NULL, NULL
- };
--TRANS_FEAT(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
-+TRANS_FEAT_NONSTREAMING(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
- static gen_helper_gvec_flags_4 * const nmatch_fns[4] = {
-     gen_helper_sve2_nmatch_ppzz_b, gen_helper_sve2_nmatch_ppzz_h, NULL, NULL
- };
--TRANS_FEAT(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
-+TRANS_FEAT_NONSTREAMING(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
- static gen_helper_gvec_4 * const histcnt_fns[4] = {
-     NULL, NULL, gen_helper_sve2_histcnt_s, gen_helper_sve2_histcnt_d
- };
--TRANS_FEAT(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
--           histcnt_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
-+                        histcnt_fns[a->esz], a, 0)
--TRANS_FEAT(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
--           a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
-+TRANS_FEAT_NONSTREAMING(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
-+                        a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
- DO_ZPZZ_FP(FADDP, aa64_sve2, sve2_faddp_zpzz)
- DO_ZPZZ_FP(FMAXNMP, aa64_sve2, sve2_fmaxnmp_zpzz)
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(SQRDCMLAH_zzzz, aa64_sve2, gen_gvec_ool_zzzz,
- TRANS_FEAT(USDOT_zzzz, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
-            a->esz == 2 ? gen_helper_gvec_usdot_b : NULL, a, 0)
--TRANS_FEAT(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
--           gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
-+TRANS_FEAT_NONSTREAMING(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
-+                        gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
--TRANS_FEAT(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
--           gen_helper_crypto_aese, a, false)
--TRANS_FEAT(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
--           gen_helper_crypto_aese, a, true)
-+TRANS_FEAT_NONSTREAMING(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-+                        gen_helper_crypto_aese, a, false)
-+TRANS_FEAT_NONSTREAMING(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-+                        gen_helper_crypto_aese, a, true)
--TRANS_FEAT(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
--           gen_helper_crypto_sm4e, a, 0)
--TRANS_FEAT(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
--           gen_helper_crypto_sm4ekey, a, 0)
-+TRANS_FEAT_NONSTREAMING(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-+                        gen_helper_crypto_sm4e, a, 0)
-+TRANS_FEAT_NONSTREAMING(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-+                        gen_helper_crypto_sm4ekey, a, 0)
--TRANS_FEAT(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz, gen_gvec_rax1, a)
-+TRANS_FEAT_NONSTREAMING(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz,
-+                        gen_gvec_rax1, a)
- TRANS_FEAT(FCVTNT_sh, aa64_sve2, gen_gvec_fpst_arg_zpz,
-            gen_helper_sve2_fcvtnt_sh, a, 0, FPST_FPCR)
---
-.25.1

-[PULL 12/45] target/arm: Mark gather prefetch as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap if full
-a64 support is not enabled in streaming mode.  In this case, introduce
-PRF_ns (prefetch non-streaming) to handle the checks.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-13-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  3 ---
- target/arm/sve.decode      | 10 +++++-----
- target/arm/translate-sve.c | 11 +++++++++++
-files changed, 16 insertions(+), 8 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
--FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
- FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
- FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
- FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
- FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
--FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve.decode
-+++ b/target/arm/sve.decode
-@@ -XXX,XX +XXX,XX @@ LD1RO_zpri      1010010 .. 01 0.... 001 ... ..... ..... \
-                 @rpri_load_msz nreg=0
- # SVE 32-bit gather prefetch (scalar plus 32-bit scaled offsets)
--PRF             1000010 00 -1 ----- 0-- --- ----- 0 ----
-+PRF_ns          1000010 00 -1 ----- 0-- --- ----- 0 ----
- # SVE 32-bit gather prefetch (vector plus immediate)
--PRF             1000010 -- 00 ----- 111 --- ----- 0 ----
-+PRF_ns          1000010 -- 00 ----- 111 --- ----- 0 ----
- # SVE contiguous prefetch (scalar plus immediate)
- PRF             1000010 11 1- ----- 0-- --- ----- 0 ----
-@@ -XXX,XX +XXX,XX @@ LD1_zpiz        1100010 .. 01 ..... 1.. ... ..... ..... \
-                 @rpri_g_load esz=3
- # SVE 64-bit gather prefetch (scalar plus 64-bit scaled offsets)
--PRF             1100010 00 11 ----- 1-- --- ----- 0 ----
-+PRF_ns          1100010 00 11 ----- 1-- --- ----- 0 ----
- # SVE 64-bit gather prefetch (scalar plus unpacked 32-bit scaled offsets)
--PRF             1100010 00 -1 ----- 0-- --- ----- 0 ----
-+PRF_ns          1100010 00 -1 ----- 0-- --- ----- 0 ----
- # SVE 64-bit gather prefetch (vector plus immediate)
--PRF             1100010 -- 00 ----- 111 --- ----- 0 ----
-+PRF_ns          1100010 -- 00 ----- 111 --- ----- 0 ----
- ### SVE Memory Store Group
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_PRF_rr(DisasContext *s, arg_PRF_rr *a)
-     return true;
- }
-+static bool trans_PRF_ns(DisasContext *s, arg_PRF_ns *a)
-+{
-+    if (!dc_isar_feature(aa64_sve, s)) {
-+        return false;
-+    }
-+    /* Prefetch is a nop within QEMU.  */
-+    s->is_nonstreaming = true;
-+    (void)sve_access_check(s);
-+    return true;
-+}
-+
- /*
-  * Move Prefix
-  *
---
-.25.1

-[PULL 13/45] target/arm: Mark LDFF1 and LDNF1 as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-14-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode | 2 --
- target/arm/translate-sve.c | 2 ++
-files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
--FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
- FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
- FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDFF1_zprr(DisasContext *s, arg_rprr_load *a)
-     if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (sve_access_check(s)) {
-         TCGv_i64 addr = new_tmp_a64(s);
-         tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), dtype_msz(a->dtype));
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDNF1_zpri(DisasContext *s, arg_rpri_load *a)
-     if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (sve_access_check(s)) {
-         int vsz = vec_full_reg_size(s);
-         int elements = vsz >> dtype_esz[a->dtype];
---
-.25.1

-[PULL 14/45] target/arm: Mark LD1RO as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-15-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode | 3 ---
- target/arm/translate-sve.c | 2 ++
-files changed, 2 insertions(+), 3 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--
--FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
--FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LD1RO_zprr(DisasContext *s, arg_rprr_load *a)
-     if (a->rm == 31) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (sve_access_check(s)) {
-         TCGv_i64 addr = new_tmp_a64(s);
-         tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), dtype_msz(a->dtype));
-@@ -XXX,XX +XXX,XX @@ static bool trans_LD1RO_zpri(DisasContext *s, arg_rpri_load *a)
-     if (!dc_isar_feature(aa64_sve_f64mm, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (sve_access_check(s)) {
-         TCGv_i64 addr = new_tmp_a64(s);
-         tcg_gen_addi_i64(addr, cpu_reg_sp(s, a->rn), a->imm * 32);
---
-.25.1

-[PULL 34/45] linux-user/aarch64: Reset PSTATE.SM on syscalls
+[PULL 25/28] hw/arm/boot: set CPTR_EL3.ESM and SCR_EL3.EnTP2 when booting Linux with EL3
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Jerome Forissier <jerome.forissier@linaro.org>
+According to the Linux kernel booting.rst [1], CPTR_EL3.ESM and
+SCR_EL3.EnTP2 must be initialized to 1 when EL3 is present and FEAT_SME
+is advertised. This has to be taken care of when QEMU boots directly
+into the kernel (i.e., "-M virt,secure=on -cpu max -kernel Image").
+Cc: qemu-stable@nongnu.org
+Fixes: 78cb9776662a ("target/arm: Enable SME for -cpu max")
+Link: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/arm64/booting.rst?h=v6.0#n321
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Message-id: 20221003145641.1921467-1-jerome.forissier@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-35-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/cpu_loop.c | 9 +++++++++
+ hw/arm/boot.c | 4 ++++
-file changed, 9 insertions(+)
+file changed, 4 insertions(+)
-diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/cpu_loop.c
+--- a/hw/arm/boot.c
-+++ b/linux-user/aarch64/cpu_loop.c
++++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
+                     if (cpu_isar_feature(aa64_sve, cpu)) {
-         switch (trapnr) {
+                         env->cp15.cptr_el[3] |= R_CPTR_EL3_EZ_MASK;
-         case EXCP_SWI:
+                     }
-+            /*
++                    if (cpu_isar_feature(aa64_sme, cpu)) {
-+             * On syscall, PSTATE.ZA is preserved, along with the ZA matrix.
++                        env->cp15.cptr_el[3] |= R_CPTR_EL3_ESM_MASK;
-+             * PSTATE.SM is cleared, per SMSTOP, which does ResetSVEState.
++                        env->cp15.scr_el3 |= SCR_ENTP2;
-+             */
++                    }
-+            if (FIELD_EX64(env->svcr, SVCR, SM)) {
+                     /* AArch64 kernels never boot in secure mode */
-+                env->svcr = FIELD_DP64(env->svcr, SVCR, SM, 0);
+                     assert(!info->secure_boot);
-+                arm_rebuild_hflags(env);
+                     /* This hook is only supported for AArch32 currently:
 +                arm_reset_sve_state(env);
 +            }
              ret = do_syscall(env,
                               env->xregs[8],
                               env->xregs[0],
 --
 .25.1

-[PULL 17/45] target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
+[PULL 26/28] target/arm: Don't allow guest to use unimplemented granule sizes
-From: Richard Henderson <richard.henderson@linaro.org>
+Arm CPUs support some subset of the granule (page) sizes 4K, 16K and
+K.  The guest selects the one it wants using bits in the TCR_ELx
-These SME instructions are nominally within the SVE decode space,
+registers.  If it tries to program these registers with a value that
-so we add them to sve.decode and translate-sve.c.
+is either reserved or which requests a size that the CPU does not
+implement, the architecture requires that the CPU behaves as if the
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+field was programmed to some size that has been implemented.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Currently we don't implement this, and instead let the guest use any
-Message-id: 20220708151540.18136-18-richard.henderson@linaro.org
+granule size, even if the CPU ID register fields say it isn't
 present.
 Make aa64_va_parameters() check against the supported granule size
 and force use of a different one if it is not implemented.
 (A subsequent commit will make ARMVAParameters use the new enum
 rather than the current pair of using16k/using64k bools.)
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20221003162315.2833797-2-peter.maydell@linaro.org
 ---
- target/arm/translate-a64.h | 12 ++++++++++++
+ target/arm/cpu.h       |  33 +++++++++++++
- target/arm/sve.decode      |  5 ++++-
+ target/arm/internals.h |   9 ++++
- target/arm/translate-sve.c | 38 ++++++++++++++++++++++++++++++++++++++
+ target/arm/helper.c    | 102 +++++++++++++++++++++++++++++++++++++----
-files changed, 54 insertions(+), 1 deletion(-)
+files changed, 136 insertions(+), 8 deletions(-)
-diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
+--- a/target/arm/cpu.h
-+++ b/target/arm/translate-a64.h
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline int vec_full_reg_size(DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_tgran16_2_lpa2(const ARMISARegisters *id)
-     return s->vl;
+     return t >= 3 || (t == 0 && isar_feature_aa64_tgran16_lpa2(id));
  }
-+/* Return the byte size of the vector register, SVL / 8. */
++static inline bool isar_feature_aa64_tgran4(const ARMISARegisters *id)
-+static inline int streaming_vec_reg_size(DisasContext *s)
++{
-+{
++    return FIELD_SEX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4) >= 0;
-+    return s->svl;
++}
-+}
++
 +static inline bool isar_feature_aa64_tgran16(const ARMISARegisters *id)
 +{
 +    return FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN16) >= 1;
 +}
 +
 +static inline bool isar_feature_aa64_tgran64(const ARMISARegisters *id)
 +{
 +    return FIELD_SEX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN64) >= 0;
 +}
 +
 +static inline bool isar_feature_aa64_tgran4_2(const ARMISARegisters *id)
 +{
 +    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4_2);
 +    return t >= 2 || (t == 0 && isar_feature_aa64_tgran4(id));
 +}
 +
 +static inline bool isar_feature_aa64_tgran16_2(const ARMISARegisters *id)
 +{
 +    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN16_2);
 +    return t >= 2 || (t == 0 && isar_feature_aa64_tgran16(id));
 +}
 +
 +static inline bool isar_feature_aa64_tgran64_2(const ARMISARegisters *id)
 +{
 +    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN64_2);
 +    return t >= 2 || (t == 0 && isar_feature_aa64_tgran64(id));
 +}
 +
  static inline bool isar_feature_aa64_ccidx(const ARMISARegisters *id)
  {
      return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, CCIDX) != 0;
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/internals.h
 +++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t aarch64_pstate_valid_mask(const ARMISARegisters *id)
      return valid;
  }
 +/* Granule size (i.e. page size) */
 +typedef enum ARMGranuleSize {
 +    /* Same order as TG0 encoding */
 +    Gran4K,
 +    Gran64K,
 +    Gran16K,
 +    GranInvalid,
 +} ARMGranuleSize;
 +
  /*
-  * Return the offset info CPUARMState of the predicate vector register Pn.
+  * Parameters of a given virtual address, as extracted from the
-  * Note for this purpose, FFR is P16.
+  * translation control register (TCR) for a given regime.
-@@ -XXX,XX +XXX,XX @@ static inline int pred_full_reg_size(DisasContext *s)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
-     return s->vl >> 3;
+index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static int aa64_va_parameter_tcma(uint64_t tcr, ARMMMUIdx mmu_idx)
      }
  }
-+/* Return the byte size of the predicate register, SVL / 64.  */
++static ARMGranuleSize tg0_to_gran_size(int tg)
-+static inline int streaming_pred_reg_size(DisasContext *s)
++{
-+{
++    switch (tg) {
-+    return s->svl >> 3;
++    case 0:
-+}
++        return Gran4K;
-+
++    case 1:
- /*
++        return Gran64K;
-  * Round up the size of a register to a size allowed by
++    case 2:
-  * the tcg vector infrastructure.  Any operation which uses this
++        return Gran16K;
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
++    default:
-index XXXXXXX..XXXXXXX 100644
++        return GranInvalid;
---- a/target/arm/sve.decode
++    }
-+++ b/target/arm/sve.decode
++}
-@@ -XXX,XX +XXX,XX @@ INDEX_ri        00000100 esz:2 1 imm:s5 010001 rn:5 rd:5
++
- # SVE index generation (register start, register increment)
++static ARMGranuleSize tg1_to_gran_size(int tg)
- INDEX_rr        00000100 .. 1 ..... 010011 ..... .....          @rd_rn_rm
++{
++    switch (tg) {
--### SVE Stack Allocation Group
++    case 1:
-+### SVE / Streaming SVE Stack Allocation Group
++        return Gran16K;
++    case 2:
- # SVE stack frame adjustment
++        return Gran4K;
- ADDVL           00000100 001 ..... 01010 ...... .....           @rd_rn_i6
++    case 3:
-+ADDSVL          00000100 001 ..... 01011 ...... .....           @rd_rn_i6
++        return Gran64K;
- ADDPL           00000100 011 ..... 01010 ...... .....           @rd_rn_i6
++    default:
-+ADDSPL          00000100 011 ..... 01011 ...... .....           @rd_rn_i6
++        return GranInvalid;
++    }
- # SVE stack frame size
++}
- RDVL            00000100 101 11111 01010 imm:s6 rd:5
++
-+RDSVL           00000100 101 11111 01011 imm:s6 rd:5
++static inline bool have4k(ARMCPU *cpu, bool stage2)
++{
- ### SVE Bitwise Shift - Unpredicated Group
++    return stage2 ? cpu_isar_feature(aa64_tgran4_2, cpu)
++        : cpu_isar_feature(aa64_tgran4, cpu);
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
++}
-index XXXXXXX..XXXXXXX 100644
++
---- a/target/arm/translate-sve.c
++static inline bool have16k(ARMCPU *cpu, bool stage2)
-+++ b/target/arm/translate-sve.c
++{
-@@ -XXX,XX +XXX,XX @@ static bool trans_ADDVL(DisasContext *s, arg_ADDVL *a)
++    return stage2 ? cpu_isar_feature(aa64_tgran16_2, cpu)
-     return true;
++        : cpu_isar_feature(aa64_tgran16, cpu);
- }
++}
++
-+static bool trans_ADDSVL(DisasContext *s, arg_ADDSVL *a)
++static inline bool have64k(ARMCPU *cpu, bool stage2)
 +{
-+    if (!dc_isar_feature(aa64_sme, s)) {
++    return stage2 ? cpu_isar_feature(aa64_tgran64_2, cpu)
-+        return false;
++        : cpu_isar_feature(aa64_tgran64, cpu);
-+    }
++}
-+    if (sme_enabled_check(s)) {
++
-+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
++static ARMGranuleSize sanitize_gran_size(ARMCPU *cpu, ARMGranuleSize gran,
-+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
++                                         bool stage2)
-+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_vec_reg_size(s));
++{
-+    }
++    switch (gran) {
-+    return true;
++    case Gran4K:
-+}
++        if (have4k(cpu, stage2)) {
-+
++            return gran;
- static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
++        }
 +        break;
 +    case Gran16K:
 +        if (have16k(cpu, stage2)) {
 +            return gran;
 +        }
 +        break;
 +    case Gran64K:
 +        if (have64k(cpu, stage2)) {
 +            return gran;
 +        }
 +        break;
 +    case GranInvalid:
 +        break;
 +    }
 +    /*
 +     * If the guest selects a granule size that isn't implemented,
 +     * the architecture requires that we behave as if it selected one
 +     * that is (with an IMPDEF choice of which one to pick). We choose
 +     * to implement the smallest supported granule size.
 +     */
 +    if (have4k(cpu, stage2)) {
 +        return Gran4K;
 +    }
 +    if (have16k(cpu, stage2)) {
 +        return Gran16K;
 +    }
 +    assert(have64k(cpu, stage2));
 +    return Gran64K;
 +}
 +
  ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
                                     ARMMMUIdx mmu_idx, bool data)
  {
-     if (!dc_isar_feature(aa64_sve, s)) {
+     uint64_t tcr = regime_tcr(env, mmu_idx);
-@@ -XXX,XX +XXX,XX @@ static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
+     bool epd, hpd, using16k, using64k, tsz_oob, ds;
-     return true;
+     int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
- }
++    ARMGranuleSize gran;
+     ARMCPU *cpu = env_archcpu(env);
-+static bool trans_ADDSPL(DisasContext *s, arg_ADDSPL *a)
++    bool stage2 = mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S;
-+{
-+    if (!dc_isar_feature(aa64_sme, s)) {
+     if (!regime_has_2_ranges(mmu_idx)) {
-+        return false;
+         select = 0;
-+    }
+         tsz = extract32(tcr, 0, 6);
-+    if (sme_enabled_check(s)) {
+-        using64k = extract32(tcr, 14, 1);
-+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+-        using16k = extract32(tcr, 15, 1);
-+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+-        if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
-+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_pred_reg_size(s));
++        gran = tg0_to_gran_size(extract32(tcr, 14, 2));
-+    }
++        if (stage2) {
-+    return true;
+             /* VTCR_EL2 */
-+}
+             hpd = false;
-+
+         } else {
- static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
- {
+         select = extract64(va, 55, 1);
-     if (!dc_isar_feature(aa64_sve, s)) {
+         if (!select) {
-@@ -XXX,XX +XXX,XX @@ static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
+             tsz = extract32(tcr, 0, 6);
-     return true;
++            gran = tg0_to_gran_size(extract32(tcr, 14, 2));
- }
+             epd = extract32(tcr, 7, 1);
+             sh = extract32(tcr, 12, 2);
-+static bool trans_RDSVL(DisasContext *s, arg_RDSVL *a)
+-            using64k = extract32(tcr, 14, 1);
-+{
+-            using16k = extract32(tcr, 15, 1);
-+    if (!dc_isar_feature(aa64_sme, s)) {
+             hpd = extract64(tcr, 41, 1);
-+        return false;
+         } else {
-+    }
+-            int tg = extract32(tcr, 30, 2);
-+    if (sme_enabled_check(s)) {
+-            using16k = tg == 1;
-+        TCGv_i64 reg = cpu_reg(s, a->rd);
+-            using64k = tg == 3;
-+        tcg_gen_movi_i64(reg, a->imm * streaming_vec_reg_size(s));
+             tsz = extract32(tcr, 16, 6);
-+    }
++            gran = tg1_to_gran_size(extract32(tcr, 30, 2));
-+    return true;
+             epd = extract32(tcr, 23, 1);
-+}
+             sh = extract32(tcr, 28, 2);
-+
+             hpd = extract64(tcr, 42, 1);
- /*
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-  *** SVE Compute Vector Address Group
+         ds = extract64(tcr, 59, 1);
-  */
+     }
 +    gran = sanitize_gran_size(cpu, gran, stage2);
 +    using64k = gran == Gran64K;
 +    using16k = gran == Gran16K;
 +
      if (cpu_isar_feature(aa64_st, cpu)) {
          max_tsz = 48 - using64k;
      } else {
 --
 .25.1

-[PULL 20/45] target/arm: Implement SME LD1, ST1
+[PULL 27/28] target/arm: Use ARMGranuleSize in ARMVAParameters
-From: Richard Henderson <richard.henderson@linaro.org>
+Now we have an enum for the granule size, use it in the
 ARMVAParameters struct instead of the using16k/using64k bools.
-We cannot reuse the SVE functions for LD[1-4] and ST[1-4],
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-because those functions accept only a Zreg register number.
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-For SME, we want to pass a pointer into ZA storage.
+Message-id: 20221003162315.2833797-3-peter.maydell@linaro.org
 ---
  target/arm/internals.h | 23 +++++++++++++++++++++--
  target/arm/helper.c    | 39 ++++++++++++++++++++++++++++-----------
  target/arm/ptw.c       |  8 +-------
 files changed, 50 insertions(+), 20 deletions(-)
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-21-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/helper-sme.h    |  82 +++++
  target/arm/sme.decode      |   9 +
  target/arm/sme_helper.c    | 595 +++++++++++++++++++++++++++++++++++++
  target/arm/translate-sme.c |  70 +++++
 files changed, 756 insertions(+)
 diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
+--- a/target/arm/internals.h
-+++ b/target/arm/helper-sme.h
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+@@ -XXX,XX +XXX,XX @@ typedef enum ARMGranuleSize {
- DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+     GranInvalid,
- DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+ } ARMGranuleSize;
- DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
-+
++/**
-+DEF_HELPER_FLAGS_5(sme_ld1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
++ * arm_granule_bits: Return address size of the granule in bits
-+DEF_HELPER_FLAGS_5(sme_ld1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
++ *
-+DEF_HELPER_FLAGS_5(sme_ld1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
++ * Return the address size of the granule in bits. This corresponds
-+DEF_HELPER_FLAGS_5(sme_ld1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
++ * to the pseudocode TGxGranuleBits().
 +
 +DEF_HELPER_FLAGS_5(sme_ld1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_ld1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_ld1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_ld1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme.decode
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
                  &mova to_vec=1 rs=%mova_rs
  MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
                  &mova to_vec=1 rs=%mova_rs esz=4
 +
 +### SME Memory
 +
 +&ldst           esz rs pg rn rm za_imm v:bool st:bool
 +
 +LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
 +                &ldst rs=%mova_rs
 +LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
 +                &ldst esz=4 rs=%mova_rs
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "cpu.h"
 +#include "internals.h"
  #include "tcg/tcg-gvec-desc.h"
  #include "exec/helper-proto.h"
 +#include "exec/cpu_ldst.h"
 +#include "exec/exec-all.h"
  #include "qemu/int128.h"
  #include "vec_internal.h"
 +#include "sve_ldst_internal.h"
  /* ResetSVEState */
  void arm_reset_sve_state(CPUARMState *env)
@@ -XXX,XX +XXX,XX @@ void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
  }
  #undef DO_MOVA_Z
 +
 +/*
 + * Clear elements in a tile slice comprising len bytes.
 + */
-+
++static inline int arm_granule_bits(ARMGranuleSize gran)
 +typedef void ClearFn(void *ptr, size_t off, size_t len);
 +
 +static void clear_horizontal(void *ptr, size_t off, size_t len)
 +{
-+    memset(ptr + off, 0, len);
++    switch (gran) {
-+}
++    case Gran64K:
-+
++        return 16;
-+static void clear_vertical_b(void *vptr, size_t off, size_t len)
++    case Gran16K:
-+{
++        return 14;
-+    for (size_t i = 0; i < len; ++i) {
++    case Gran4K:
-+        *(uint8_t *)(vptr + tile_vslice_offset(i + off)) = 0;
++        return 12;
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
-+static void clear_vertical_h(void *vptr, size_t off, size_t len)
+ /*
   * Parameters of a given virtual address, as extracted from the
   * translation control register (TCR) for a given regime.
@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
      bool tbi        : 1;
      bool epd        : 1;
      bool hpd        : 1;
 -    bool using16k   : 1;
 -    bool using64k   : 1;
      bool tsz_oob    : 1;  /* tsz has been clamped to legal range */
      bool ds         : 1;
 +    ARMGranuleSize gran : 2;
  } ARMVAParameters;
  ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
      uint64_t length;
  } TLBIRange;
 +static ARMGranuleSize tlbi_range_tg_to_gran_size(int tg)
 +{
-+    for (size_t i = 0; i < len; i += 2) {
++    /*
-+        *(uint16_t *)(vptr + tile_vslice_offset(i + off)) = 0;
++     * Note that the TLBI range TG field encoding differs from both
 +     * TG0 and TG1 encodings.
 +     */
 +    switch (tg) {
 +    case 1:
 +        return Gran4K;
 +    case 2:
 +        return Gran16K;
 +    case 3:
 +        return Gran64K;
 +    default:
 +        return GranInvalid;
 +    }
 +}
 +
-+static void clear_vertical_s(void *vptr, size_t off, size_t len)
+ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
-+{
+                                      uint64_t value)
-+    for (size_t i = 0; i < len; i += 4) {
+ {
-+        *(uint32_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
-+    }
+     uint64_t select = sextract64(value, 36, 1);
-+}
+     ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true);
-+
+     TLBIRange ret = { };
-+static void clear_vertical_d(void *vptr, size_t off, size_t len)
++    ARMGranuleSize gran;
-+{
-+    for (size_t i = 0; i < len; i += 8) {
+     page_size_granule = extract64(value, 46, 2);
-+        *(uint64_t *)(vptr + tile_vslice_offset(i + off)) = 0;
++    gran = tlbi_range_tg_to_gran_size(page_size_granule);
-+    }
-+}
+     /* The granule encoded in value must match the granule in use. */
-+
+-    if (page_size_granule != (param.using64k ? 3 : param.using16k ? 2 : 1)) {
-+static void clear_vertical_q(void *vptr, size_t off, size_t len)
++    if (gran != param.gran) {
-+{
+         qemu_log_mask(LOG_GUEST_ERROR, "Invalid tlbi page size granule %d\n",
-+    for (size_t i = 0; i < len; i += 16) {
+                       page_size_granule);
-+        memset(vptr + tile_vslice_offset(i + off), 0, 16);
+         return ret;
-+    }
+     }
-+}
-+
+-    page_shift = (page_size_granule - 1) * 2 + 12;
-+/*
++    page_shift = arm_granule_bits(gran);
-+ * Copy elements from an array into a tile slice comprising len bytes.
+     num = extract64(value, 39, 5);
-+ */
+     scale = extract64(value, 44, 2);
-+
+     exponent = (5 * scale) + 1;
-+typedef void CopyFn(void *dst, const void *src, size_t len);
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-+
+                                    ARMMMUIdx mmu_idx, bool data)
-+static void copy_horizontal(void *dst, const void *src, size_t len)
+ {
-+{
+     uint64_t tcr = regime_tcr(env, mmu_idx);
-+    memcpy(dst, src, len);
+-    bool epd, hpd, using16k, using64k, tsz_oob, ds;
-+}
++    bool epd, hpd, tsz_oob, ds;
-+
+     int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
-+static void copy_vertical_b(void *vdst, const void *vsrc, size_t len)
+     ARMGranuleSize gran;
-+{
+     ARMCPU *cpu = env_archcpu(env);
-+    const uint8_t *src = vsrc;
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-+    uint8_t *dst = vdst;
+     }
-+    size_t i;
-+
+     gran = sanitize_gran_size(cpu, gran, stage2);
-+    for (i = 0; i < len; ++i) {
+-    using64k = gran == Gran64K;
-+        dst[tile_vslice_index(i)] = src[i];
+-    using16k = gran == Gran16K;
-+    }
-+}
+     if (cpu_isar_feature(aa64_st, cpu)) {
-+
+-        max_tsz = 48 - using64k;
-+static void copy_vertical_h(void *vdst, const void *vsrc, size_t len)
++        max_tsz = 48 - (gran == Gran64K);
-+{
+     } else {
-+    const uint16_t *src = vsrc;
+         max_tsz = 39;
-+    uint16_t *dst = vdst;
+     }
-+    size_t i;
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-+
+      * adjust the effective value of DS, as documented.
-+    for (i = 0; i < len / 2; ++i) {
+      */
-+        dst[tile_vslice_index(i)] = src[i];
+     min_tsz = 16;
-+    }
+-    if (using64k) {
-+}
++    if (gran == Gran64K) {
-+
+         if (cpu_isar_feature(aa64_lva, cpu)) {
-+static void copy_vertical_s(void *vdst, const void *vsrc, size_t len)
+             min_tsz = 12;
-+{
+         }
-+    const uint32_t *src = vsrc;
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-+    uint32_t *dst = vdst;
+         switch (mmu_idx) {
-+    size_t i;
+         case ARMMMUIdx_Stage2:
-+
+         case ARMMMUIdx_Stage2_S:
-+    for (i = 0; i < len / 4; ++i) {
+-            if (using16k) {
-+        dst[tile_vslice_index(i)] = src[i];
++            if (gran == Gran16K) {
-+    }
+                 ds = cpu_isar_feature(aa64_tgran16_2_lpa2, cpu);
-+}
+             } else {
-+
+                 ds = cpu_isar_feature(aa64_tgran4_2_lpa2, cpu);
-+static void copy_vertical_d(void *vdst, const void *vsrc, size_t len)
+             }
-+{
+             break;
-+    const uint64_t *src = vsrc;
+         default:
-+    uint64_t *dst = vdst;
+-            if (using16k) {
-+    size_t i;
++            if (gran == Gran16K) {
-+
+                 ds = cpu_isar_feature(aa64_tgran16_lpa2, cpu);
-+    for (i = 0; i < len / 8; ++i) {
+             } else {
-+        dst[tile_vslice_index(i)] = src[i];
+                 ds = cpu_isar_feature(aa64_tgran4_lpa2, cpu);
-+    }
+@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-+}
+         .tbi = tbi,
-+
+         .epd = epd,
-+static void copy_vertical_q(void *vdst, const void *vsrc, size_t len)
+         .hpd = hpd,
-+{
+-        .using16k = using16k,
-+    for (size_t i = 0; i < len; i += 16) {
+-        .using64k = using64k,
-+        memcpy(vdst + tile_vslice_offset(i), vsrc + i, 16);
+         .tsz_oob = tsz_oob,
-+    }
+         .ds = ds,
-+}
++        .gran = gran,
-+
+     };
-+/*
+ }
-+ * Host and TLB primitives for vertical tile slice addressing.
-+ */
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 +
 +#define DO_LD(NAME, TYPE, HOST, TLB)                                        \
 +static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
 +{                                                                           \
 +    TYPE val = HOST(host);                                                  \
 +    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
 +}                                                                           \
 +static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
 +                        intptr_t off, target_ulong addr, uintptr_t ra)      \
 +{                                                                           \
 +    TYPE val = TLB(env, useronly_clean_ptr(addr), ra);                      \
 +    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
 +}
 +
 +#define DO_ST(NAME, TYPE, HOST, TLB)                                        \
 +static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
 +{                                                                           \
 +    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
 +    HOST(host, val);                                                        \
 +}                                                                           \
 +static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
 +                        intptr_t off, target_ulong addr, uintptr_t ra)      \
 +{                                                                           \
 +    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
 +    TLB(env, useronly_clean_ptr(addr), val, ra);                            \
 +}
 +
 +/*
 + * The ARMVectorReg elements are stored in host-endian 64-bit units.
 + * For 128-bit quantities, the sequence defined by the Elem[] pseudocode
 + * corresponds to storing the two 64-bit pieces in little-endian order.
 + */
 +#define DO_LDQ(HNAME, VNAME, BE, HOST, TLB)                                 \
 +static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
 +{                                                                           \
 +    uint64_t val0 = HOST(host), val1 = HOST(host + 8);                      \
 +    uint64_t *ptr = za + off;                                               \
 +    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
 +}                                                                           \
 +static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
 +{                                                                           \
 +    HNAME##_host(za, tile_vslice_offset(off), host);                        \
 +}                                                                           \
 +static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
 +                               target_ulong addr, uintptr_t ra)             \
 +{                                                                           \
 +    uint64_t val0 = TLB(env, useronly_clean_ptr(addr), ra);                 \
 +    uint64_t val1 = TLB(env, useronly_clean_ptr(addr + 8), ra);             \
 +    uint64_t *ptr = za + off;                                               \
 +    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
 +}                                                                           \
 +static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
 +                               target_ulong addr, uintptr_t ra)             \
 +{                                                                           \
 +    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
 +}
 +
 +#define DO_STQ(HNAME, VNAME, BE, HOST, TLB)                                 \
 +static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
 +{                                                                           \
 +    uint64_t *ptr = za + off;                                               \
 +    HOST(host, ptr[BE]);                                                    \
 +    HOST(host + 1, ptr[!BE]);                                               \
 +}                                                                           \
 +static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
 +{                                                                           \
 +    HNAME##_host(za, tile_vslice_offset(off), host);                        \
 +}                                                                           \
 +static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
 +                               target_ulong addr, uintptr_t ra)             \
 +{                                                                           \
 +    uint64_t *ptr = za + off;                                               \
 +    TLB(env, useronly_clean_ptr(addr), ptr[BE], ra);                        \
 +    TLB(env, useronly_clean_ptr(addr + 8), ptr[!BE], ra);                   \
 +}                                                                           \
 +static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
 +                               target_ulong addr, uintptr_t ra)             \
 +{                                                                           \
 +    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
 +}
 +
 +DO_LD(ld1b, uint8_t, ldub_p, cpu_ldub_data_ra)
 +DO_LD(ld1h_be, uint16_t, lduw_be_p, cpu_lduw_be_data_ra)
 +DO_LD(ld1h_le, uint16_t, lduw_le_p, cpu_lduw_le_data_ra)
 +DO_LD(ld1s_be, uint32_t, ldl_be_p, cpu_ldl_be_data_ra)
 +DO_LD(ld1s_le, uint32_t, ldl_le_p, cpu_ldl_le_data_ra)
 +DO_LD(ld1d_be, uint64_t, ldq_be_p, cpu_ldq_be_data_ra)
 +DO_LD(ld1d_le, uint64_t, ldq_le_p, cpu_ldq_le_data_ra)
 +
 +DO_LDQ(sve_ld1qq_be, sme_ld1q_be, 1, ldq_be_p, cpu_ldq_be_data_ra)
 +DO_LDQ(sve_ld1qq_le, sme_ld1q_le, 0, ldq_le_p, cpu_ldq_le_data_ra)
 +
 +DO_ST(st1b, uint8_t, stb_p, cpu_stb_data_ra)
 +DO_ST(st1h_be, uint16_t, stw_be_p, cpu_stw_be_data_ra)
 +DO_ST(st1h_le, uint16_t, stw_le_p, cpu_stw_le_data_ra)
 +DO_ST(st1s_be, uint32_t, stl_be_p, cpu_stl_be_data_ra)
 +DO_ST(st1s_le, uint32_t, stl_le_p, cpu_stl_le_data_ra)
 +DO_ST(st1d_be, uint64_t, stq_be_p, cpu_stq_be_data_ra)
 +DO_ST(st1d_le, uint64_t, stq_le_p, cpu_stq_le_data_ra)
 +
 +DO_STQ(sve_st1qq_be, sme_st1q_be, 1, stq_be_p, cpu_stq_be_data_ra)
 +DO_STQ(sve_st1qq_le, sme_st1q_le, 0, stq_le_p, cpu_stq_le_data_ra)
 +
 +#undef DO_LD
 +#undef DO_ST
 +#undef DO_LDQ
 +#undef DO_STQ
 +
 +/*
 + * Common helper for all contiguous predicated loads.
 + */
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sme_ld1(CPUARMState *env, void *za, uint64_t *vg,
 +             const target_ulong addr, uint32_t desc, const uintptr_t ra,
 +             const int esz, uint32_t mtedesc, bool vertical,
 +             sve_ldst1_host_fn *host_fn,
 +             sve_ldst1_tlb_fn *tlb_fn,
 +             ClearFn *clr_fn,
 +             CopyFn *cpy_fn)
 +{
 +    const intptr_t reg_max = simd_oprsz(desc);
 +    const intptr_t esize = 1 << esz;
 +    intptr_t reg_off, reg_last;
 +    SVEContLdSt info;
 +    void *host;
 +    int flags;
 +
 +    /* Find the active elements.  */
 +    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
 +        /* The entire predicate was false; no load occurs.  */
 +        clr_fn(za, 0, reg_max);
 +        return;
 +    }
 +
 +    /* Probe the page(s).  Exit with exception for any invalid page. */
 +    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, ra);
 +
 +    /* Handle watchpoints for all active elements. */
 +    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
 +                              BP_MEM_READ, ra);
 +
 +    /*
 +     * Handle mte checks for all active elements.
 +     * Since TBI must be set for MTE, !mtedesc => !mte_active.
 +     */
 +    if (mtedesc) {
 +        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
 +                                mtedesc, ra);
 +    }
 +
 +    flags = info.page[0].flags | info.page[1].flags;
 +    if (unlikely(flags != 0)) {
 +#ifdef CONFIG_USER_ONLY
 +        g_assert_not_reached();
 +#else
 +        /*
 +         * At least one page includes MMIO.
 +         * Any bus operation can fail with cpu_transaction_failed,
 +         * which for ARM will raise SyncExternal.  Perform the load
 +         * into scratch memory to preserve register state until the end.
 +         */
 +        ARMVectorReg scratch = { };
 +
 +        reg_off = info.reg_off_first[0];
 +        reg_last = info.reg_off_last[1];
 +        if (reg_last < 0) {
 +            reg_last = info.reg_off_split;
 +            if (reg_last < 0) {
 +                reg_last = info.reg_off_last[0];
 +            }
 +        }
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    tlb_fn(env, &scratch, reg_off, addr + reg_off, ra);
 +                }
 +                reg_off += esize;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +
 +        cpy_fn(za, &scratch, reg_max);
 +        return;
 +#endif
 +    }
 +
 +    /* The entire operation is in RAM, on valid pages. */
 +
 +    reg_off = info.reg_off_first[0];
 +    reg_last = info.reg_off_last[0];
 +    host = info.page[0].host;
 +
 +    if (!vertical) {
 +        memset(za, 0, reg_max);
 +    } else if (reg_off) {
 +        clr_fn(za, 0, reg_off);
 +    }
 +
 +    while (reg_off <= reg_last) {
 +        uint64_t pg = vg[reg_off >> 6];
 +        do {
 +            if ((pg >> (reg_off & 63)) & 1) {
 +                host_fn(za, reg_off, host + reg_off);
 +            } else if (vertical) {
 +                clr_fn(za, reg_off, esize);
 +            }
 +            reg_off += esize;
 +        } while (reg_off <= reg_last && (reg_off & 63));
 +    }
 +
 +    /*
 +     * Use the slow path to manage the cross-page misalignment.
 +     * But we know this is RAM and cannot trap.
 +     */
 +    reg_off = info.reg_off_split;
 +    if (unlikely(reg_off >= 0)) {
 +        tlb_fn(env, za, reg_off, addr + reg_off, ra);
 +    }
 +
 +    reg_off = info.reg_off_first[1];
 +    if (unlikely(reg_off >= 0)) {
 +        reg_last = info.reg_off_last[1];
 +        host = info.page[1].host;
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    host_fn(za, reg_off, host + reg_off);
 +                } else if (vertical) {
 +                    clr_fn(za, reg_off, esize);
 +                }
 +                reg_off += esize;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +    }
 +}
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
 +                 target_ulong addr, uint32_t desc, uintptr_t ra,
 +                 const int esz, bool vertical,
 +                 sve_ldst1_host_fn *host_fn,
 +                 sve_ldst1_tlb_fn *tlb_fn,
 +                 ClearFn *clr_fn,
 +                 CopyFn *cpy_fn)
 +{
 +    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 +    int bit55 = extract64(addr, 55, 1);
 +
 +    /* Remove mtedesc from the normal sve descriptor. */
 +    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 +
 +    /* Perform gross MTE suppression early. */
 +    if (!tbi_check(desc, bit55) ||
 +        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
 +        mtedesc = 0;
 +    }
 +
 +    sme_ld1(env, za, vg, addr, desc, ra, esz, mtedesc, vertical,
 +            host_fn, tlb_fn, clr_fn, cpy_fn);
 +}
 +
 +#define DO_LD(L, END, ESZ)                                                 \
 +void HELPER(sme_ld1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
 +                                 target_ulong addr, uint32_t desc)         \
 +{                                                                          \
 +    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
 +            sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,           \
 +            clear_horizontal, copy_horizontal);                            \
 +}                                                                          \
 +void HELPER(sme_ld1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
 +                                 target_ulong addr, uint32_t desc)         \
 +{                                                                          \
 +    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
 +            sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,             \
 +            clear_vertical_##L, copy_vertical_##L);                        \
 +}                                                                          \
 +void HELPER(sme_ld1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
 +                                     target_ulong addr, uint32_t desc)     \
 +{                                                                          \
 +    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
 +                sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,       \
 +                clear_horizontal, copy_horizontal);                        \
 +}                                                                          \
 +void HELPER(sme_ld1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
 +                                     target_ulong addr, uint32_t desc)     \
 +{                                                                          \
 +    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
 +                sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,         \
 +                clear_vertical_##L, copy_vertical_##L);                    \
 +}
 +
 +DO_LD(b, , MO_8)
 +DO_LD(h, _be, MO_16)
 +DO_LD(h, _le, MO_16)
 +DO_LD(s, _be, MO_32)
 +DO_LD(s, _le, MO_32)
 +DO_LD(d, _be, MO_64)
 +DO_LD(d, _le, MO_64)
 +DO_LD(q, _be, MO_128)
 +DO_LD(q, _le, MO_128)
 +
 +#undef DO_LD
 +
 +/*
 + * Common helper for all contiguous predicated stores.
 + */
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sme_st1(CPUARMState *env, void *za, uint64_t *vg,
 +             const target_ulong addr, uint32_t desc, const uintptr_t ra,
 +             const int esz, uint32_t mtedesc, bool vertical,
 +             sve_ldst1_host_fn *host_fn,
 +             sve_ldst1_tlb_fn *tlb_fn)
 +{
 +    const intptr_t reg_max = simd_oprsz(desc);
 +    const intptr_t esize = 1 << esz;
 +    intptr_t reg_off, reg_last;
 +    SVEContLdSt info;
 +    void *host;
 +    int flags;
 +
 +    /* Find the active elements.  */
 +    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
 +        /* The entire predicate was false; no store occurs.  */
 +        return;
 +    }
 +
 +    /* Probe the page(s).  Exit with exception for any invalid page. */
 +    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_STORE, ra);
 +
 +    /* Handle watchpoints for all active elements. */
 +    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
 +                              BP_MEM_WRITE, ra);
 +
 +    /*
 +     * Handle mte checks for all active elements.
 +     * Since TBI must be set for MTE, !mtedesc => !mte_active.
 +     */
 +    if (mtedesc) {
 +        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
 +                                mtedesc, ra);
 +    }
 +
 +    flags = info.page[0].flags | info.page[1].flags;
 +    if (unlikely(flags != 0)) {
 +#ifdef CONFIG_USER_ONLY
 +        g_assert_not_reached();
 +#else
 +        /*
 +         * At least one page includes MMIO.
 +         * Any bus operation can fail with cpu_transaction_failed,
 +         * which for ARM will raise SyncExternal.  We cannot avoid
 +         * this fault and will leave with the store incomplete.
 +         */
 +        reg_off = info.reg_off_first[0];
 +        reg_last = info.reg_off_last[1];
 +        if (reg_last < 0) {
 +            reg_last = info.reg_off_split;
 +            if (reg_last < 0) {
 +                reg_last = info.reg_off_last[0];
 +            }
 +        }
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    tlb_fn(env, za, reg_off, addr + reg_off, ra);
 +                }
 +                reg_off += esize;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +        return;
 +#endif
 +    }
 +
 +    reg_off = info.reg_off_first[0];
 +    reg_last = info.reg_off_last[0];
 +    host = info.page[0].host;
 +
 +    while (reg_off <= reg_last) {
 +        uint64_t pg = vg[reg_off >> 6];
 +        do {
 +            if ((pg >> (reg_off & 63)) & 1) {
 +                host_fn(za, reg_off, host + reg_off);
 +            }
 +            reg_off += 1 << esz;
 +        } while (reg_off <= reg_last && (reg_off & 63));
 +    }
 +
 +    /*
 +     * Use the slow path to manage the cross-page misalignment.
 +     * But we know this is RAM and cannot trap.
 +     */
 +    reg_off = info.reg_off_split;
 +    if (unlikely(reg_off >= 0)) {
 +        tlb_fn(env, za, reg_off, addr + reg_off, ra);
 +    }
 +
 +    reg_off = info.reg_off_first[1];
 +    if (unlikely(reg_off >= 0)) {
 +        reg_last = info.reg_off_last[1];
 +        host = info.page[1].host;
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    host_fn(za, reg_off, host + reg_off);
 +                }
 +                reg_off += 1 << esz;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +    }
 +}
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
 +                 uint32_t desc, uintptr_t ra, int esz, bool vertical,
 +                 sve_ldst1_host_fn *host_fn,
 +                 sve_ldst1_tlb_fn *tlb_fn)
 +{
 +    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 +    int bit55 = extract64(addr, 55, 1);
 +
 +    /* Remove mtedesc from the normal sve descriptor. */
 +    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 +
 +    /* Perform gross MTE suppression early. */
 +    if (!tbi_check(desc, bit55) ||
 +        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
 +        mtedesc = 0;
 +    }
 +
 +    sme_st1(env, za, vg, addr, desc, ra, esz, mtedesc,
 +            vertical, host_fn, tlb_fn);
 +}
 +
 +#define DO_ST(L, END, ESZ)                                                 \
 +void HELPER(sme_st1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
 +                                 target_ulong addr, uint32_t desc)         \
 +{                                                                          \
 +    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
 +            sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);          \
 +}                                                                          \
 +void HELPER(sme_st1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
 +                                 target_ulong addr, uint32_t desc)         \
 +{                                                                          \
 +    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
 +            sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);            \
 +}                                                                          \
 +void HELPER(sme_st1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
 +                                     target_ulong addr, uint32_t desc)     \
 +{                                                                          \
 +    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
 +                sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);      \
 +}                                                                          \
 +void HELPER(sme_st1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
 +                                     target_ulong addr, uint32_t desc)     \
 +{                                                                          \
 +    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
 +                sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);        \
 +}
 +
 +DO_ST(b, , MO_8)
 +DO_ST(h, _be, MO_16)
 +DO_ST(h, _le, MO_16)
 +DO_ST(s, _be, MO_32)
 +DO_ST(s, _le, MO_32)
 +DO_ST(d, _be, MO_64)
 +DO_ST(d, _le, MO_64)
 +DO_ST(q, _be, MO_128)
 +DO_ST(q, _le, MO_128)
 +
 +#undef DO_ST
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-sme.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
+         }
-     return true;
+     }
- }
-+
+-    if (param.using64k) {
-+static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
+-        stride = 13;
-+{
+-    } else if (param.using16k) {
-+    typedef void GenLdSt1(TCGv_env, TCGv_ptr, TCGv_ptr, TCGv, TCGv_i32);
+-        stride = 11;
-+
+-    } else {
-+    /*
+-        stride = 9;
-+     * Indexed by [esz][be][v][mte][st], which is (except for load/store)
+-    }
-+     * also the order in which the elements appear in the function names,
++    stride = arm_granule_bits(param.gran) - 3;
-+     * and so how we must concatenate the pieces.
-+     */
+     /*
-+
+      * Note that QEMU ignores shareability and cacheability attributes,
 +#define FN_LS(F)     { gen_helper_sme_ld1##F, gen_helper_sme_st1##F }
 +#define FN_MTE(F)    { FN_LS(F), FN_LS(F##_mte) }
 +#define FN_HV(F)     { FN_MTE(F##_h), FN_MTE(F##_v) }
 +#define FN_END(L, B) { FN_HV(L), FN_HV(B) }
 +
 +    static GenLdSt1 * const fns[5][2][2][2][2] = {
 +        FN_END(b, b),
 +        FN_END(h_le, h_be),
 +        FN_END(s_le, s_be),
 +        FN_END(d_le, d_be),
 +        FN_END(q_le, q_be),
 +    };
 +
 +#undef FN_LS
 +#undef FN_MTE
 +#undef FN_HV
 +#undef FN_END
 +
 +    TCGv_ptr t_za, t_pg;
 +    TCGv_i64 addr;
 +    int svl, desc = 0;
 +    bool be = s->be_data == MO_BE;
 +    bool mte = s->mte_active[0];
 +
 +    if (!dc_isar_feature(aa64_sme, s)) {
 +        return false;
 +    }
 +    if (!sme_smza_enabled_check(s)) {
 +        return true;
 +    }
 +
 +    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
 +    t_pg = pred_full_reg_ptr(s, a->pg);
 +    addr = tcg_temp_new_i64();
 +
 +    tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);
 +    tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));
 +
 +    if (mte) {
 +        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
 +        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
 +        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
 +        desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);
 +        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);
 +        desc <<= SVE_MTEDESC_SHIFT;
 +    } else {
 +        addr = clean_data_tbi(s, addr);
 +    }
 +    svl = streaming_vec_reg_size(s);
 +    desc = simd_desc(svl, svl, desc);
 +
 +    fns[a->esz][be][a->v][mte][a->st](cpu_env, t_za, t_pg, addr,
 +                                      tcg_constant_i32(desc));
 +
 +    tcg_temp_free_ptr(t_za);
 +    tcg_temp_free_ptr(t_pg);
 +    tcg_temp_free_i64(addr);
 +    return true;
 +}
 --
 .25.1

-[PULL 22/45] target/arm: Implement SME LDR, STR
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-We can reuse the SVE functions for LDR and STR, passing in the
-base of the ZA vector and a zero offset.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-23-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme.decode      |  7 +++++++
- target/arm/translate-sme.c | 24 ++++++++++++++++++++++++
-files changed, 31 insertions(+)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
-                 &ldst rs=%mova_rs
- LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
-                 &ldst esz=4 rs=%mova_rs
-+
-+&ldstr          rv rn imm
-+@ldstr          ....... ... . ...... .. ... rn:5 . imm:4 \
-+                &ldstr rv=%mova_rs
-+
-+LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
-+STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
-     tcg_temp_free_i64(addr);
-     return true;
- }
-+
-+typedef void GenLdStR(DisasContext *, TCGv_ptr, int, int, int, int);
-+
-+static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
-+{
-+    int svl = streaming_vec_reg_size(s);
-+    int imm = a->imm;
-+    TCGv_ptr base;
-+
-+    if (!sme_za_enabled_check(s)) {
-+        return true;
-+    }
-+
-+    /* ZA[n] equates to ZA0H.B[n]. */
-+    base = get_tile_rowcol(s, MO_8, a->rv, imm, false);
-+
-+    fn(s, base, 0, svl, a->rn, imm * svl);
-+
-+    tcg_temp_free_ptr(base);
-+    return true;
-+}
-+
-+TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
-+TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
---
-.25.1

-[PULL 24/45] target/arm: Implement FMOPA, FMOPS (non-widening)
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-25-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    |  5 +++
- target/arm/sme.decode      |  9 +++++
- target/arm/sme_helper.c    | 69 ++++++++++++++++++++++++++++++++++++++
- target/arm/translate-sme.c | 32 ++++++++++++++++++
-files changed, 115 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_addha_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-+
-+DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ ADDHA_s         11000000 10 01000 0 ... ... ..... 000 ..        @adda_32
- ADDVA_s         11000000 10 01000 1 ... ... ..... 000 ..        @adda_32
- ADDHA_d         11000000 11 01000 0 ... ... ..... 00 ...        @adda_64
- ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
-+
-+### SME Outer Product
-+
-+&op             zad zn zm pm pn sub:bool
-+@op_32          ........ ... zm:5 pm:3 pn:3 zn:5 sub:1 .. zad:2 &op
-+@op_64          ........ ... zm:5 pm:3 pn:3 zn:5 sub:1 .  zad:3 &op
-+
-+FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
-+FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@
- #include "exec/cpu_ldst.h"
- #include "exec/exec-all.h"
- #include "qemu/int128.h"
-+#include "fpu/softfloat.h"
- #include "vec_internal.h"
- #include "sve_ldst_internal.h"
-@@ -XXX,XX +XXX,XX @@ void HELPER(sme_addva_d)(void *vzda, void *vzn, void *vpn,
-         }
-     }
- }
-+
-+void HELPER(sme_fmopa_s)(void *vza, void *vzn, void *vzm, void *vpn,
-+                         void *vpm, void *vst, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_maxsz(desc);
-+    uint32_t neg = simd_data(desc) << 31;
-+    uint16_t *pn = vpn, *pm = vpm;
-+    float_status fpst;
-+
-+    /*
-+     * Make a copy of float_status because this operation does not
-+     * update the cumulative fp exception status.  It also produces
-+     * default nans.
-+     */
-+    fpst = *(float_status *)vst;
-+    set_default_nan_mode(true, &fpst);
-+
-+    for (row = 0; row < oprsz; ) {
-+        uint16_t pa = pn[H2(row >> 4)];
-+        do {
-+            if (pa & 1) {
-+                void *vza_row = vza + tile_vslice_offset(row);
-+                uint32_t n = *(uint32_t *)(vzn + H1_4(row)) ^ neg;
-+
-+                for (col = 0; col < oprsz; ) {
-+                    uint16_t pb = pm[H2(col >> 4)];
-+                    do {
-+                        if (pb & 1) {
-+                            uint32_t *a = vza_row + H1_4(col);
-+                            uint32_t *m = vzm + H1_4(col);
-+                            *a = float32_muladd(n, *m, *a, 0, vst);
-+                        }
-+                        col += 4;
-+                        pb >>= 4;
-+                    } while (col & 15);
-+                }
-+            }
-+            row += 4;
-+            pa >>= 4;
-+        } while (row & 15);
-+    }
-+}
-+
-+void HELPER(sme_fmopa_d)(void *vza, void *vzn, void *vzm, void *vpn,
-+                         void *vpm, void *vst, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
-+    uint64_t neg = (uint64_t)simd_data(desc) << 63;
-+    uint64_t *za = vza, *zn = vzn, *zm = vzm;
-+    uint8_t *pn = vpn, *pm = vpm;
-+    float_status fpst = *(float_status *)vst;
-+
-+    set_default_nan_mode(true, &fpst);
-+
-+    for (row = 0; row < oprsz; ++row) {
-+        if (pn[H1(row)] & 1) {
-+            uint64_t *za_row = &za[tile_vslice_index(row)];
-+            uint64_t n = zn[row] ^ neg;
-+
-+            for (col = 0; col < oprsz; ++col) {
-+                if (pm[H1(col)] & 1) {
-+                    uint64_t *a = &za_row[col];
-+                    *a = float64_muladd(n, zm[col], *a, 0, &fpst);
-+                }
-+            }
-+        }
-+    }
-+}
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(ADDHA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addha_s)
- TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
- TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
- TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
-+
-+static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
-+                            gen_helper_gvec_5_ptr *fn)
-+{
-+    int svl = streaming_vec_reg_size(s);
-+    uint32_t desc = simd_desc(svl, svl, a->sub);
-+    TCGv_ptr za, zn, zm, pn, pm, fpst;
-+
-+    if (!sme_smza_enabled_check(s)) {
-+        return true;
-+    }
-+
-+    /* Sum XZR+zad to find ZAd. */
-+    za = get_tile_rowcol(s, esz, 31, a->zad, false);
-+    zn = vec_full_reg_ptr(s, a->zn);
-+    zm = vec_full_reg_ptr(s, a->zm);
-+    pn = pred_full_reg_ptr(s, a->pn);
-+    pm = pred_full_reg_ptr(s, a->pm);
-+    fpst = fpstatus_ptr(FPST_FPCR);
-+
-+    fn(za, zn, zm, pn, pm, fpst, tcg_constant_i32(desc));
-+
-+    tcg_temp_free_ptr(za);
-+    tcg_temp_free_ptr(zn);
-+    tcg_temp_free_ptr(pn);
-+    tcg_temp_free_ptr(pm);
-+    tcg_temp_free_ptr(fpst);
-+    return true;
-+}
-+
-+TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
-+TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
---
-.25.1

-[PULL 25/45] target/arm: Implement BFMOPA, BFMOPS
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-26-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    |  2 ++
- target/arm/sme.decode      |  2 ++
- target/arm/sme_helper.c    | 56 ++++++++++++++++++++++++++++++++++++++
- target/arm/translate-sme.c | 30 ++++++++++++++++++++
-files changed, 90 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_bfmopa, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
- FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
- FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
-+
-+BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(sme_fmopa_d)(void *vza, void *vzn, void *vzm, void *vpn,
-         }
-     }
- }
-+
-+/*
-+ * Alter PAIR as needed for controlling predicates being false,
-+ * and for NEG on an enabled row element.
-+ */
-+static inline uint32_t f16mop_adj_pair(uint32_t pair, uint32_t pg, uint32_t neg)
-+{
-+    /*
-+     * The pseudocode uses a conditional negate after the conditional zero.
-+     * It is simpler here to unconditionally negate before conditional zero.
-+     */
-+    pair ^= neg;
-+    if (!(pg & 1)) {
-+        pair &= 0xffff0000u;
-+    }
-+    if (!(pg & 4)) {
-+        pair &= 0x0000ffffu;
-+    }
-+    return pair;
-+}
-+
-+void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
-+                        void *vpm, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_maxsz(desc);
-+    uint32_t neg = simd_data(desc) * 0x80008000u;
-+    uint16_t *pn = vpn, *pm = vpm;
-+
-+    for (row = 0; row < oprsz; ) {
-+        uint16_t prow = pn[H2(row >> 4)];
-+        do {
-+            void *vza_row = vza + tile_vslice_offset(row);
-+            uint32_t n = *(uint32_t *)(vzn + H1_4(row));
-+
-+            n = f16mop_adj_pair(n, prow, neg);
-+
-+            for (col = 0; col < oprsz; ) {
-+                uint16_t pcol = pm[H2(col >> 4)];
-+                do {
-+                    if (prow & pcol & 0b0101) {
-+                        uint32_t *a = vza_row + H1_4(col);
-+                        uint32_t m = *(uint32_t *)(vzm + H1_4(col));
-+
-+                        m = f16mop_adj_pair(m, pcol, 0);
-+                        *a = bfdotadd(*a, n, m);
-+
-+                        col += 4;
-+                        pcol >>= 4;
-+                    }
-+                } while (col & 15);
-+            }
-+            row += 4;
-+            prow >>= 4;
-+        } while (row & 15);
-+    }
-+}
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
- TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
- TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
-+static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
-+                       gen_helper_gvec_5 *fn)
-+{
-+    int svl = streaming_vec_reg_size(s);
-+    uint32_t desc = simd_desc(svl, svl, a->sub);
-+    TCGv_ptr za, zn, zm, pn, pm;
-+
-+    if (!sme_smza_enabled_check(s)) {
-+        return true;
-+    }
-+
-+    /* Sum XZR+zad to find ZAd. */
-+    za = get_tile_rowcol(s, esz, 31, a->zad, false);
-+    zn = vec_full_reg_ptr(s, a->zn);
-+    zm = vec_full_reg_ptr(s, a->zm);
-+    pn = pred_full_reg_ptr(s, a->pn);
-+    pm = pred_full_reg_ptr(s, a->pm);
-+
-+    fn(za, zn, zm, pn, pm, tcg_constant_i32(desc));
-+
-+    tcg_temp_free_ptr(za);
-+    tcg_temp_free_ptr(zn);
-+    tcg_temp_free_ptr(pn);
-+    tcg_temp_free_ptr(pm);
-+    return true;
-+}
-+
- static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
-                             gen_helper_gvec_5_ptr *fn)
- {
-@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
- TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
- TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
-+
-+/* TODO: FEAT_EBF16 */
-+TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
---
-.25.1

-[PULL 26/45] target/arm: Implement FMOPA, FMOPS (widening)
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-27-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    |  2 ++
- target/arm/sme.decode      |  1 +
- target/arm/sme_helper.c    | 74 ++++++++++++++++++++++++++++++++++++++
- target/arm/translate-sme.c |  1 +
-files changed, 78 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_7(sme_fmopa_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
- FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
- BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
-+FMOPA_h         10000001 101 ..... ... ... ..... . 00 ..        @op_32
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t f16mop_adj_pair(uint32_t pair, uint32_t pg, uint32_t neg)
-     return pair;
- }
-+static float32 f16_dotadd(float32 sum, uint32_t e1, uint32_t e2,
-+                          float_status *s_std, float_status *s_odd)
-+{
-+    float64 e1r = float16_to_float64(e1 & 0xffff, true, s_std);
-+    float64 e1c = float16_to_float64(e1 >> 16, true, s_std);
-+    float64 e2r = float16_to_float64(e2 & 0xffff, true, s_std);
-+    float64 e2c = float16_to_float64(e2 >> 16, true, s_std);
-+    float64 t64;
-+    float32 t32;
-+
-+    /*
-+     * The ARM pseudocode function FPDot performs both multiplies
-+     * and the add with a single rounding operation.  Emulate this
-+     * by performing the first multiply in round-to-odd, then doing
-+     * the second multiply as fused multiply-add, and rounding to
-+     * float32 all in one step.
-+     */
-+    t64 = float64_mul(e1r, e2r, s_odd);
-+    t64 = float64r32_muladd(e1c, e2c, t64, 0, s_std);
-+
-+    /* This conversion is exact, because we've already rounded. */
-+    t32 = float64_to_float32(t64, s_std);
-+
-+    /* The final accumulation step is not fused. */
-+    return float32_add(sum, t32, s_std);
-+}
-+
-+void HELPER(sme_fmopa_h)(void *vza, void *vzn, void *vzm, void *vpn,
-+                         void *vpm, void *vst, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_maxsz(desc);
-+    uint32_t neg = simd_data(desc) * 0x80008000u;
-+    uint16_t *pn = vpn, *pm = vpm;
-+    float_status fpst_odd, fpst_std;
-+
-+    /*
-+     * Make a copy of float_status because this operation does not
-+     * update the cumulative fp exception status.  It also produces
-+     * default nans.  Make a second copy with round-to-odd -- see above.
-+     */
-+    fpst_std = *(float_status *)vst;
-+    set_default_nan_mode(true, &fpst_std);
-+    fpst_odd = fpst_std;
-+    set_float_rounding_mode(float_round_to_odd, &fpst_odd);
-+
-+    for (row = 0; row < oprsz; ) {
-+        uint16_t prow = pn[H2(row >> 4)];
-+        do {
-+            void *vza_row = vza + tile_vslice_offset(row);
-+            uint32_t n = *(uint32_t *)(vzn + H1_4(row));
-+
-+            n = f16mop_adj_pair(n, prow, neg);
-+
-+            for (col = 0; col < oprsz; ) {
-+                uint16_t pcol = pm[H2(col >> 4)];
-+                do {
-+                    if (prow & pcol & 0b0101) {
-+                        uint32_t *a = vza_row + H1_4(col);
-+                        uint32_t m = *(uint32_t *)(vzm + H1_4(col));
-+
-+                        m = f16mop_adj_pair(m, pcol, 0);
-+                        *a = f16_dotadd(*a, n, m, &fpst_std, &fpst_odd);
-+
-+                        col += 4;
-+                        pcol >>= 4;
-+                    }
-+                } while (col & 15);
-+            }
-+            row += 4;
-+            prow >>= 4;
-+        } while (row & 15);
-+    }
-+}
-+
- void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
-                         void *vpm, uint32_t desc)
- {
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
-     return true;
- }
-+TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_h)
- TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
- TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
---
-.25.1

-[PULL 28/45] target/arm: Implement PSEL
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-This is an SVE instruction that operates using the SVE vector
-length but that it is present only if SME is implemented.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-29-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sve.decode      | 20 +++++++++++++
- target/arm/translate-sve.c | 57 ++++++++++++++++++++++++++++++++++++++
-files changed, 77 insertions(+)
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve.decode
-+++ b/target/arm/sve.decode
-@@ -XXX,XX +XXX,XX @@ BFMLALT_zzxw    01100100 11 1 ..... 0100.1 ..... .....     @rrxr_3a esz=2
- ### SVE2 floating-point bfloat16 dot-product (indexed)
- BFDOT_zzxz      01100100 01 1 ..... 010000 ..... .....     @rrxr_2 esz=2
-+
-+### SVE broadcast predicate element
-+
-+&psel           esz pd pn pm rv imm
-+%psel_rv        16:2 !function=plus_12
-+%psel_imm_b     22:2 19:2
-+%psel_imm_h     22:2 20:1
-+%psel_imm_s     22:2
-+%psel_imm_d     23:1
-+@psel           ........ .. . ... .. .. pn:4 . pm:4 . pd:4  \
-+                &psel rv=%psel_rv
-+
-+PSEL            00100101 .. 1 ..1 .. 01 .... 0 .... 0 ....  \
-+                @psel esz=0 imm=%psel_imm_b
-+PSEL            00100101 .. 1 .10 .. 01 .... 0 .... 0 ....  \
-+                @psel esz=1 imm=%psel_imm_h
-+PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
-+                @psel esz=2 imm=%psel_imm_s
-+PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
-+                @psel esz=3 imm=%psel_imm_d
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool do_BFMLAL_zzxw(DisasContext *s, arg_rrxr_esz *a, bool sel)
- TRANS_FEAT(BFMLALB_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, false)
- TRANS_FEAT(BFMLALT_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, true)
-+
-+static bool trans_PSEL(DisasContext *s, arg_psel *a)
-+{
-+    int vl = vec_full_reg_size(s);
-+    int pl = pred_gvec_reg_size(s);
-+    int elements = vl >> a->esz;
-+    TCGv_i64 tmp, didx, dbit;
-+    TCGv_ptr ptr;
-+
-+    if (!dc_isar_feature(aa64_sme, s)) {
-+        return false;
-+    }
-+    if (!sve_access_check(s)) {
-+        return true;
-+    }
-+
-+    tmp = tcg_temp_new_i64();
-+    dbit = tcg_temp_new_i64();
-+    didx = tcg_temp_new_i64();
-+    ptr = tcg_temp_new_ptr();
-+
-+    /* Compute the predicate element. */
-+    tcg_gen_addi_i64(tmp, cpu_reg(s, a->rv), a->imm);
-+    if (is_power_of_2(elements)) {
-+        tcg_gen_andi_i64(tmp, tmp, elements - 1);
-+    } else {
-+        tcg_gen_remu_i64(tmp, tmp, tcg_constant_i64(elements));
-+    }
-+
-+    /* Extract the predicate byte and bit indices. */
-+    tcg_gen_shli_i64(tmp, tmp, a->esz);
-+    tcg_gen_andi_i64(dbit, tmp, 7);
-+    tcg_gen_shri_i64(didx, tmp, 3);
-+    if (HOST_BIG_ENDIAN) {
-+        tcg_gen_xori_i64(didx, didx, 7);
-+    }
-+
-+    /* Load the predicate word. */
-+    tcg_gen_trunc_i64_ptr(ptr, didx);
-+    tcg_gen_add_ptr(ptr, ptr, cpu_env);
-+    tcg_gen_ld8u_i64(tmp, ptr, pred_full_reg_offset(s, a->pm));
-+
-+    /* Extract the predicate bit and replicate to MO_64. */
-+    tcg_gen_shr_i64(tmp, tmp, dbit);
-+    tcg_gen_andi_i64(tmp, tmp, 1);
-+    tcg_gen_neg_i64(tmp, tmp);
-+
-+    /* Apply to either copy the source, or write zeros. */
-+    tcg_gen_gvec_ands(MO_64, pred_full_reg_offset(s, a->pd),
-+                      pred_full_reg_offset(s, a->pn), tmp, pl, pl);
-+
-+    tcg_temp_free_i64(tmp);
-+    tcg_temp_free_i64(dbit);
-+    tcg_temp_free_i64(didx);
-+    tcg_temp_free_ptr(ptr);
-+    return true;
-+}
---
-.25.1

-[PULL 30/45] target/arm: Implement SCLAMP, UCLAMP
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-This is an SVE instruction that operates using the SVE vector
-length but that it is present only if SME is implemented.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-31-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.h        |  18 +++++++
- target/arm/sve.decode      |   5 ++
- target/arm/translate-sve.c | 102 +++++++++++++++++++++++++++++++++++++
- target/arm/vec_helper.c    |  24 +++++++++
-files changed, 149 insertions(+)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
-+++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(gvec_bfmlal, TCG_CALL_NO_RWG,
- DEF_HELPER_FLAGS_6(gvec_bfmlal_idx, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sclamp_b, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sclamp_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sclamp_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sclamp_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+
-+DEF_HELPER_FLAGS_5(gvec_uclamp_b, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uclamp_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uclamp_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uclamp_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+
- #ifdef TARGET_AARCH64
- #include "helper-a64.h"
- #include "helper-sve.h"
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve.decode
-+++ b/target/arm/sve.decode
-@@ -XXX,XX +XXX,XX @@ PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
-                 @psel esz=2 imm=%psel_imm_s
- PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
-                 @psel esz=3 imm=%psel_imm_d
-+
-+### SVE clamp
-+
-+SCLAMP          01000100 .. 0 ..... 110000 ..... .....          @rda_rn_rm
-+UCLAMP          01000100 .. 0 ..... 110001 ..... .....          @rda_rn_rm
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_PSEL(DisasContext *s, arg_psel *a)
-     tcg_temp_free_ptr(ptr);
-     return true;
- }
-+
-+static void gen_sclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
-+{
-+    tcg_gen_smax_i32(d, a, n);
-+    tcg_gen_smin_i32(d, d, m);
-+}
-+
-+static void gen_sclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
-+{
-+    tcg_gen_smax_i64(d, a, n);
-+    tcg_gen_smin_i64(d, d, m);
-+}
-+
-+static void gen_sclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
-+                           TCGv_vec m, TCGv_vec a)
-+{
-+    tcg_gen_smax_vec(vece, d, a, n);
-+    tcg_gen_smin_vec(vece, d, d, m);
-+}
-+
-+static void gen_sclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
-+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
-+{
-+    static const TCGOpcode vecop[] = {
-+        INDEX_op_smin_vec, INDEX_op_smax_vec, 0
-+    };
-+    static const GVecGen4 ops[4] = {
-+        { .fniv = gen_sclamp_vec,
-+          .fno  = gen_helper_gvec_sclamp_b,
-+          .opt_opc = vecop,
-+          .vece = MO_8 },
-+        { .fniv = gen_sclamp_vec,
-+          .fno  = gen_helper_gvec_sclamp_h,
-+          .opt_opc = vecop,
-+          .vece = MO_16 },
-+        { .fni4 = gen_sclamp_i32,
-+          .fniv = gen_sclamp_vec,
-+          .fno  = gen_helper_gvec_sclamp_s,
-+          .opt_opc = vecop,
-+          .vece = MO_32 },
-+        { .fni8 = gen_sclamp_i64,
-+          .fniv = gen_sclamp_vec,
-+          .fno  = gen_helper_gvec_sclamp_d,
-+          .opt_opc = vecop,
-+          .vece = MO_64,
-+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
-+    };
-+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
-+}
-+
-+TRANS_FEAT(SCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_sclamp, a)
-+
-+static void gen_uclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
-+{
-+    tcg_gen_umax_i32(d, a, n);
-+    tcg_gen_umin_i32(d, d, m);
-+}
-+
-+static void gen_uclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
-+{
-+    tcg_gen_umax_i64(d, a, n);
-+    tcg_gen_umin_i64(d, d, m);
-+}
-+
-+static void gen_uclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
-+                           TCGv_vec m, TCGv_vec a)
-+{
-+    tcg_gen_umax_vec(vece, d, a, n);
-+    tcg_gen_umin_vec(vece, d, d, m);
-+}
-+
-+static void gen_uclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
-+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
-+{
-+    static const TCGOpcode vecop[] = {
-+        INDEX_op_umin_vec, INDEX_op_umax_vec, 0
-+    };
-+    static const GVecGen4 ops[4] = {
-+        { .fniv = gen_uclamp_vec,
-+          .fno  = gen_helper_gvec_uclamp_b,
-+          .opt_opc = vecop,
-+          .vece = MO_8 },
-+        { .fniv = gen_uclamp_vec,
-+          .fno  = gen_helper_gvec_uclamp_h,
-+          .opt_opc = vecop,
-+          .vece = MO_16 },
-+        { .fni4 = gen_uclamp_i32,
-+          .fniv = gen_uclamp_vec,
-+          .fno  = gen_helper_gvec_uclamp_s,
-+          .opt_opc = vecop,
-+          .vece = MO_32 },
-+        { .fni8 = gen_uclamp_i64,
-+          .fniv = gen_uclamp_vec,
-+          .fno  = gen_helper_gvec_uclamp_d,
-+          .opt_opc = vecop,
-+          .vece = MO_64,
-+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
-+    };
-+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
-+}
-+
-+TRANS_FEAT(UCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_uclamp, a)
-diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vec_helper.c
-+++ b/target/arm/vec_helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_bfmlal_idx)(void *vd, void *vn, void *vm,
-     }
-     clear_tail(d, opr_sz, simd_maxsz(desc));
- }
-+
-+#define DO_CLAMP(NAME, TYPE) \
-+void HELPER(NAME)(void *d, void *n, void *m, void *a, uint32_t desc)    \
-+{                                                                       \
-+    intptr_t i, opr_sz = simd_oprsz(desc);                              \
-+    for (i = 0; i < opr_sz; i += sizeof(TYPE)) {                        \
-+        TYPE aa = *(TYPE *)(a + i);                                     \
-+        TYPE nn = *(TYPE *)(n + i);                                     \
-+        TYPE mm = *(TYPE *)(m + i);                                     \
-+        TYPE dd = MIN(MAX(aa, nn), mm);                                 \
-+        *(TYPE *)(d + i) = dd;                                          \
-+    }                                                                   \
-+    clear_tail(d, opr_sz, simd_maxsz(desc));                            \
-+}
-+
-+DO_CLAMP(gvec_sclamp_b, int8_t)
-+DO_CLAMP(gvec_sclamp_h, int16_t)
-+DO_CLAMP(gvec_sclamp_s, int32_t)
-+DO_CLAMP(gvec_sclamp_d, int64_t)
-+
-+DO_CLAMP(gvec_uclamp_b, uint8_t)
-+DO_CLAMP(gvec_uclamp_h, uint16_t)
-+DO_CLAMP(gvec_uclamp_s, uint32_t)
-+DO_CLAMP(gvec_uclamp_d, uint64_t)
---
-.25.1

-[PULL 32/45] target/arm: Enable SME for -cpu max
+[PULL 28/28] docs/system/arm/emulation.rst: Report FEAT_GTG support
-From: Richard Henderson <richard.henderson@linaro.org>
+FEAT_GTG is a change tho the ID register ID_AA64MMFR0_EL1 so that it
 can report a different set of supported granule (page) sizes for
 stage 1 and stage 2 translation tables.  As of commit c20281b2a5048
 we already report the granule sizes that way for '-cpu max', and now
 we also correctly make attempts to use unimplemented granule sizes
 fail, so we can report the support of the feature in the
 documentation.
-Note that SME remains effectively disabled for user-only,
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 because we do not yet set CPACR_EL1.SMEN.  This needs to
 wait until the kernel ABI is implemented.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-33-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20221003162315.2833797-4-peter.maydell@linaro.org
 ---
- docs/system/arm/emulation.rst |  4 ++++
+ docs/system/arm/emulation.rst | 1 +
- target/arm/cpu64.c            | 11 +++++++++++
+file changed, 1 insertion(+)
 files changed, 15 insertions(+)
 diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/arm/emulation.rst
 +++ b/docs/system/arm/emulation.rst
 @@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- - FEAT_SHA512 (Advanced SIMD SHA512 instructions)
+ - FEAT_FRINTTS (Floating-point to integer instructions)
- - FEAT_SM3 (Advanced SIMD SM3 instructions)
+ - FEAT_FlagM (Flag manipulation instructions v2)
- - FEAT_SM4 (Advanced SIMD SM4 instructions)
+ - FEAT_FlagM2 (Enhancements to flag manipulation instructions)
-+- FEAT_SME (Scalable Matrix Extension)
++- FEAT_GTG (Guest translation granule size)
-+- FEAT_SME_FA64 (Full A64 instruction set in Streaming SVE mode)
+ - FEAT_HCX (Support for the HCRX_EL2 register)
-+- FEAT_SME_F64F64 (Double-precision floating-point outer product instructions)
+ - FEAT_HPDS (Hierarchical permission disables)
-+- FEAT_SME_I16I64 (16-bit to 64-bit integer widening outer product instructions)
+ - FEAT_I8MM (AArch64 Int8 matrix multiplication instructions)
  - FEAT_SPECRES (Speculation restriction instructions)
  - FEAT_SSBS (Speculative Store Bypass Safe)
  - FEAT_TLBIOS (TLB invalidate instructions in Outer Shareable domain)
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
       */
      t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
      t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 0);  /* FEAT_RASv1p1 + FEAT_DoubleFault */
 +    t = FIELD_DP64(t, ID_AA64PFR1, SME, 1);       /* FEAT_SME */
      t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
      cpu->isar.id_aa64pfr1 = t;
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
      t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
      cpu->isar.id_aa64dfr0 = t;
 +    t = cpu->isar.id_aa64smfr0;
 +    t = FIELD_DP64(t, ID_AA64SMFR0, F32F32, 1);   /* FEAT_SME */
 +    t = FIELD_DP64(t, ID_AA64SMFR0, B16F32, 1);   /* FEAT_SME */
 +    t = FIELD_DP64(t, ID_AA64SMFR0, F16F32, 1);   /* FEAT_SME */
 +    t = FIELD_DP64(t, ID_AA64SMFR0, I8I32, 0xf);  /* FEAT_SME */
 +    t = FIELD_DP64(t, ID_AA64SMFR0, F64F64, 1);   /* FEAT_SME_F64F64 */
 +    t = FIELD_DP64(t, ID_AA64SMFR0, I16I64, 0xf); /* FEAT_SME_I16I64 */
 +    t = FIELD_DP64(t, ID_AA64SMFR0, FA64, 1);     /* FEAT_SME_FA64 */
 +    cpu->isar.id_aa64smfr0 = t;
 +
      /* Replicate the same data to the 32-bit id registers.  */
      aa32_max_features(cpu);
 --
 .25.1

-[PULL 33/45] linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-34-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- linux-user/aarch64/target_cpu.h | 5 ++++-
-file changed, 4 insertions(+), 1 deletion(-)
-diff --git a/linux-user/aarch64/target_cpu.h b/linux-user/aarch64/target_cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/target_cpu.h
-+++ b/linux-user/aarch64/target_cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline void cpu_clone_regs_parent(CPUARMState *env, unsigned flags)
- static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
- {
--    /* Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
-+    /*
-+     * Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
-      * different from AArch32 Linux, which uses TPIDRRO.
-      */
-     env->cp15.tpidr_el[0] = newtls;
-+    /* TPIDR2_EL0 is cleared with CLONE_SETTLS. */
-+    env->cp15.tpidr2_el0 = 0;
- }
- static inline abi_ulong get_sp_from_cpustate(CPUARMState *state)
---
-.25.1

I don't have anything else queued up at the moment, so this is just
Richard's SME patches.

-- PMM

The following changes since commit 63b38f6c85acd312c2cab68554abf33adf4ee2b3:

Merge tag 'pull-target-arm-20220707' of https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-07-08 06:17:11 +0530)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220711

for you to fetch changes up to f9982ceaf26df27d15547a3a7990a95019e9e3a8:

linux-user/aarch64: Add SME related hwcap entries (2022-07-11 13:43:52 +0100)

----------------------------------------------------------------
target-arm:
 * Implement SME emulation, for both system and linux-user

----------------------------------------------------------------
Richard Henderson (45):
      target/arm: Handle SME in aarch64_cpu_dump_state
      target/arm: Add infrastructure for disas_sme
      target/arm: Trap non-streaming usage when Streaming SVE is active
      target/arm: Mark ADR as non-streaming
      target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
      target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
      target/arm: Mark PMULL, FMMLA as non-streaming
      target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
      target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
      target/arm: Mark string/histo/crypto as non-streaming
      target/arm: Mark gather/scatter load/store as non-streaming
      target/arm: Mark gather prefetch as non-streaming
      target/arm: Mark LDFF1 and LDNF1 as non-streaming
      target/arm: Mark LD1RO as non-streaming
      target/arm: Add SME enablement checks
      target/arm: Handle SME in sve_access_check
      target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
      target/arm: Implement SME ZERO
      target/arm: Implement SME MOVA
      target/arm: Implement SME LD1, ST1
      target/arm: Export unpredicated ld/st from translate-sve.c
      target/arm: Implement SME LDR, STR
      target/arm: Implement SME ADDHA, ADDVA
      target/arm: Implement FMOPA, FMOPS (non-widening)
      target/arm: Implement BFMOPA, BFMOPS
      target/arm: Implement FMOPA, FMOPS (widening)
      target/arm: Implement SME integer outer product
      target/arm: Implement PSEL
      target/arm: Implement REVD
      target/arm: Implement SCLAMP, UCLAMP
      target/arm: Reset streaming sve state on exception boundaries
      target/arm: Enable SME for -cpu max
      linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
      linux-user/aarch64: Reset PSTATE.SM on syscalls
      linux-user/aarch64: Add SM bit to SVE signal context
      linux-user/aarch64: Tidy target_restore_sigframe error return
      linux-user/aarch64: Do not allow duplicate or short sve records
      linux-user/aarch64: Verify extra record lock succeeded
      linux-user/aarch64: Move sve record checks into restore
      linux-user/aarch64: Implement SME signal handling
      linux-user: Rename sve prctls
      linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
      target/arm: Only set ZEN in reset if SVE present
      target/arm: Enable SME for user-only
      linux-user/aarch64: Add SME related hwcap entries

From: Richard Henderson <richard.henderson@linaro.org>

Dump SVCR, plus use the correct access check for Streaming Mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
     int i;
     int el = arm_current_el(env);
     const char *ns_status;
+    bool sve;
 
     qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
     for (i = 0; i < 32; i++) {
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
                  el,
                  psr & PSTATE_SP ? 'h' : 't');
 
+    if (cpu_isar_feature(aa64_sme, cpu)) {
+        qemu_fprintf(f, "  SVCR=%08" PRIx64 " %c%c",
+                     env->svcr,
+                     (FIELD_EX64(env->svcr, SVCR, ZA) ? 'Z' : '-'),
+                     (FIELD_EX64(env->svcr, SVCR, SM) ? 'S' : '-'));
+    }
     if (cpu_isar_feature(aa64_bti, cpu)) {
         qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
     }
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
     qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
                  vfp_get_fpcr(env), vfp_get_fpsr(env));
 
-    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
+    if (cpu_isar_feature(aa64_sme, cpu) && FIELD_EX64(env->svcr, SVCR, SM)) {
+        sve = sme_exception_el(env, el) == 0;
+    } else if (cpu_isar_feature(aa64_sve, cpu)) {
+        sve = sve_exception_el(env, el) == 0;
+    } else {
+        sve = false;
+    }
+
+    if (sve) {
         int j, zcr_len = sve_vqm1_for_el(env, el);
 
         for (i = 0; i <= FFR_PRED_NUM; i++) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This includes the build rules for the decoder, and the
new file for translation, but excludes any instructions.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h |  1 +
 target/arm/sme.decode      | 20 ++++++++++++++++++++
 target/arm/translate-a64.c |  7 ++++++-
 target/arm/translate-sme.c | 35 +++++++++++++++++++++++++++++++++++
 target/arm/meson.build     |  2 ++
 5 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 target/arm/sme.decode
 create mode 100644 target/arm/translate-sme.c

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
 }
 
 bool disas_sve(DisasContext *, uint32_t);
+bool disas_sme(DisasContext *, uint32_t);
 
 void gen_gvec_rax1(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                    uint32_t rm_ofs, uint32_t opr_sz, uint32_t max_sz);
diff --git a/target/arm/sme.decode b/target/arm/sme.decode
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@
+# AArch64 SME instruction descriptions
+#
+#  Copyright (c) 2022 Linaro, Ltd
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+#
+# This file is processed by scripts/decodetree.py
+#
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     }
 
     switch (extract32(insn, 25, 4)) {
-    case 0x0: case 0x1: case 0x3: /* UNALLOCATED */
+    case 0x0:
+        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+            unallocated_encoding(s);
+        }
+        break;
+    case 0x1: case 0x3: /* UNALLOCATED */
         unallocated_encoding(s);
         break;
     case 0x2:
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * AArch64 SME translation
+ *
+ * Copyright (c) 2022 Linaro, Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "tcg/tcg-op.h"
+#include "tcg/tcg-op-gvec.h"
+#include "tcg/tcg-gvec-desc.h"
+#include "translate.h"
+#include "exec/helper-gen.h"
+#include "translate-a64.h"
+#include "fpu/softfloat.h"
+
+
+/*
+ * Include the generated decoder.
+ */
+
+#include "decode-sme.c.inc"
diff --git a/target/arm/meson.build b/target/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/meson.build
+++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@
 gen = [
   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
+  decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
   'sme_helper.c',
   'translate-a64.c',
   'translate-sve.c',
+  'translate-sme.c',
 ))
 
 arm_softmmu_ss = ss.source_set()
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This new behaviour is in the ARM pseudocode function
AArch64.CheckFPAdvSIMDEnabled, which applies to AArch32
via AArch32.CheckAdvSIMDOrFPEnabled when the EL to which
the trap would be delivered is in AArch64 mode.

Given that ARMv9 drops support for AArch32 outside EL0, the trap EL
detection ought to be trivially true, but the pseudocode still contains
a number of conditions, and QEMU has not yet committed to dropping A32
support for EL[12] when v9 features are present.

Since the computation of SME_TRAP_NONSTREAMING is necessarily different
for the two modes, we might as well preserve bits within TBFLAG_ANY and
allocate separate bits within TBFLAG_A32 and TBFLAG_A64 instead.

Note that DDI0616A.a has typos for bits [22:21] of LD1RO in the table
of instructions illegal in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h           |  7 +++
 target/arm/translate.h     |  4 ++
 target/arm/sme-fa64.decode | 90 ++++++++++++++++++++++++++++++++++++++
 target/arm/helper.c        | 41 +++++++++++++++++
 target/arm/translate-a64.c | 40 ++++++++++++++++-
 target/arm/translate-vfp.c | 12 +++++
 target/arm/translate.c     |  2 +
 target/arm/meson.build     |  1 +
 8 files changed, 195 insertions(+), 2 deletions(-)
 create mode 100644 target/arm/sme-fa64.decode

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A32, HSTR_ACTIVE, 9, 1)
  * the same thing as the current security state of the processor!
  */
 FIELD(TBFLAG_A32, NS, 10, 1)
+/*
+ * Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not.
+ * This requires an SME trap from AArch32 mode when using NEON.
+ */
+FIELD(TBFLAG_A32, SME_TRAP_NONSTREAMING, 11, 1)
 
 /*
  * Bit usage when in AArch32 state, for M-profile only.
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, SMEEXC_EL, 20, 2)
 FIELD(TBFLAG_A64, PSTATE_SM, 22, 1)
 FIELD(TBFLAG_A64, PSTATE_ZA, 23, 1)
 FIELD(TBFLAG_A64, SVL, 24, 4)
+/* Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not. */
+FIELD(TBFLAG_A64, SME_TRAP_NONSTREAMING, 28, 1)
 
 /*
  * Helpers for using the above.
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     bool pstate_sm;
     /* True if PSTATE.ZA is set. */
     bool pstate_za;
+    /* True if non-streaming insns should raise an SME Streaming exception. */
+    bool sme_trap_nonstreaming;
+    /* True if the current instruction is non-streaming. */
+    bool is_nonstreaming;
     /* True if MVE insns are definitely not predicated by VPR or LTPSIZE */
     bool mve_no_pred;
     /*
diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@
+# AArch64 SME allowed instruction decoding
+#
+#  Copyright (c) 2022 Linaro, Ltd
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+#
+# This file is processed by scripts/decodetree.py
+#
+
+# These patterns are taken from Appendix E1.1 of DDI0616 A.a,
+# Arm Architecture Reference Manual Supplement,
+# The Scalable Matrix Extension (SME), for Armv9-A
+
+{
+  [
+    OK  0-00 1110 0000 0001 0010 11-- ---- ----   # SMOV W|Xd,Vn.B[0]
+    OK  0-00 1110 0000 0010 0010 11-- ---- ----   # SMOV W|Xd,Vn.H[0]
+    OK  0100 1110 0000 0100 0010 11-- ---- ----   # SMOV Xd,Vn.S[0]
+    OK  0000 1110 0000 0001 0011 11-- ---- ----   # UMOV Wd,Vn.B[0]
+    OK  0000 1110 0000 0010 0011 11-- ---- ----   # UMOV Wd,Vn.H[0]
+    OK  0000 1110 0000 0100 0011 11-- ---- ----   # UMOV Wd,Vn.S[0]
+    OK  0100 1110 0000 1000 0011 11-- ---- ----   # UMOV Xd,Vn.D[0]
+  ]
+  FAIL  0--0 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD vector operations
+}
+
+{
+  [
+    OK  0101 1110 --1- ---- 11-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar)
+    OK  0101 1110 -10- ---- 00-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar, FP16)
+    OK  01-1 1110 1-10 0001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar)
+    OK  01-1 1110 1111 1001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar, FP16)
+  ]
+  FAIL  01-1 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD single-element operations
+}
+
+FAIL    0-00 110- ---- ---- ---- ---- ---- ----   # Advanced SIMD structure load/store
+FAIL    1100 1110 ---- ---- ---- ---- ---- ----   # Advanced SIMD cryptography extensions
+FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+
+# These are the "avoidance of doubt" final table of Illegal Advanced SIMD instructions
+# We don't actually need to include these, as the default is OK.
+#       -001 111- ---- ---- ---- ---- ---- ----   # Scalar floating-point operations
+#       --10 110- ---- ---- ---- ---- ---- ----   # Load/store pair of FP registers
+#       --01 1100 ---- ---- ---- ---- ---- ----   # Load FP register (PC-relative literal)
+#       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
+#       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+#       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+
+FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
+FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
+FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
+FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
+FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
+FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
+FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
+FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
+FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
+FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
+FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
+FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
+FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
+FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
+FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
+FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
+FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
+FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
+FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
+FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
+FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
+FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
+FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
+FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
+FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ int sme_exception_el(CPUARMState *env, int el)
     return 0;
 }
 
+/* This corresponds to the ARM pseudocode function IsFullA64Enabled(). */
+static bool sme_fa64(CPUARMState *env, int el)
+{
+    if (!cpu_isar_feature(aa64_sme_fa64, env_archcpu(env))) {
+        return false;
+    }
+
+    if (el <= 1 && !el_is_in_host(env, el)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[1], SMCR, FA64)) {
+            return false;
+        }
+    }
+    if (el <= 2 && arm_is_el2_enabled(env)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[2], SMCR, FA64)) {
+            return false;
+        }
+    }
+    if (arm_feature(env, ARM_FEATURE_EL3)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[3], SMCR, FA64)) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 /*
  * Given that SVE is enabled, return the vector length for EL.
  */
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a32(CPUARMState *env, int fp_el,
         DP_TBFLAG_ANY(flags, PSTATE__IL, 1);
     }
 
+    /*
+     * The SME exception we are testing for is raised via
+     * AArch64.CheckFPAdvSIMDEnabled(), as called from
+     * AArch32.CheckAdvSIMDOrFPEnabled().
+     */
+    if (el == 0
+        && FIELD_EX64(env->svcr, SVCR, SM)
+        && (!arm_is_el2_enabled(env)
+            || (arm_el_is_aa64(env, 2) && !(env->cp15.hcr_el2 & HCR_TGE)))
+        && arm_el_is_aa64(env, 1)
+        && !sme_fa64(env, el)) {
+        DP_TBFLAG_A32(flags, SME_TRAP_NONSTREAMING, 1);
+    }
+
     return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
 }
 
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
         }
         if (FIELD_EX64(env->svcr, SVCR, SM)) {
             DP_TBFLAG_A64(flags, PSTATE_SM, 1);
+            DP_TBFLAG_A64(flags, SME_TRAP_NONSTREAMING, !sme_fa64(env, el));
         }
         DP_TBFLAG_A64(flags, PSTATE_ZA, FIELD_EX64(env->svcr, SVCR, ZA));
     }
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void do_vec_ld(DisasContext *s, int destidx, int element,
  * unallocated-encoding checks (otherwise the syndrome information
  * for the resulting exception will be incorrect).
  */
-static bool fp_access_check(DisasContext *s)
+static bool fp_access_check_only(DisasContext *s)
 {
     if (s->fp_excp_el) {
         assert(!s->fp_access_checked);
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
     return true;
 }
 
+static bool fp_access_check(DisasContext *s)
+{
+    if (!fp_access_check_only(s)) {
+        return false;
+    }
+    if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_Streaming, false));
+        return false;
+    }
+    return true;
+}
+
 /* Check that SVE access is enabled.  If it is, return true.
  * If not, emit code to generate an appropriate exception and return false.
  */
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
     default:
         g_assert_not_reached();
     }
-    if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
+    if ((ri->type & ARM_CP_FPU) && !fp_access_check_only(s)) {
         return;
     } else if ((ri->type & ARM_CP_SVE) && !sve_access_check(s)) {
         return;
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
     }
 }
 
+/*
+ * Include the generated SME FA64 decoder.
+ */
+
+#include "decode-sme-fa64.c.inc"
+
+static bool trans_OK(DisasContext *s, arg_OK *a)
+{
+    return true;
+}
+
+static bool trans_FAIL(DisasContext *s, arg_OK *a)
+{
+    s->is_nonstreaming = true;
+    return true;
+}
+
 /**
  * is_guarded_page:
  * @env: The cpu environment
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     dc->mte_active[1] = EX_TBFLAG_A64(tb_flags, MTE0_ACTIVE);
     dc->pstate_sm = EX_TBFLAG_A64(tb_flags, PSTATE_SM);
     dc->pstate_za = EX_TBFLAG_A64(tb_flags, PSTATE_ZA);
+    dc->sme_trap_nonstreaming = EX_TBFLAG_A64(tb_flags, SME_TRAP_NONSTREAMING);
     dc->vec_len = 0;
     dc->vec_stride = 0;
     dc->cp_regs = arm_cpu->cp_regs;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         }
     }
 
+    s->is_nonstreaming = false;
+    if (s->sme_trap_nonstreaming) {
+        disas_sme_fa64(s, insn);
+    }
+
     switch (extract32(insn, 25, 4)) {
     case 0x0:
         if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.c
+++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
         return false;
     }
 
+    /*
+     * Note that rebuild_hflags_a32 has already accounted for being in EL0
+     * and the higher EL in A64 mode, etc.  Unlike A64 mode, there do not
+     * appear to be any insns which touch VFP which are allowed.
+     */
+    if (s->sme_trap_nonstreaming) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_Streaming,
+                                       s->base.pc_next - s->pc_curr == 2));
+        return false;
+    }
+
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
         unallocated_encoding(s);
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
             dc->vec_len = EX_TBFLAG_A32(tb_flags, VECLEN);
             dc->vec_stride = EX_TBFLAG_A32(tb_flags, VECSTRIDE);
         }
+        dc->sme_trap_nonstreaming =
+            EX_TBFLAG_A32(tb_flags, SME_TRAP_NONSTREAMING);
     }
     dc->cp_regs = cpu->cp_regs;
     dc->features = env->features;
diff --git a/target/arm/meson.build b/target/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/meson.build
+++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@
 gen = [
   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
   decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
+  decodetree.process('sme-fa64.decode', extra_args: '--static-decode=disas_sme_fa64'),
   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark ADR as a non-streaming instruction, which should trap
if full a64 support is not enabled in streaming mode.

Removing entries from sme-fa64.decode is an easy way to see
what remains to be done.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.h     | 7 +++++++
 target/arm/sme-fa64.decode | 1 -
 target/arm/translate-sve.c | 8 ++++----
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op);
     static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \
     { return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__); }
 
+#define TRANS_FEAT_NONSTREAMING(NAME, FEAT, FUNC, ...)            \
+    static bool trans_##NAME(DisasContext *s, arg_##NAME *a)      \
+    {                                                             \
+        s->is_nonstreaming = true;                                \
+        return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__);  \
+    }
+
 #endif /* TARGET_ARM_TRANSLATE_H */
diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
 FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
 FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
 FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_adr(DisasContext *s, arg_rrri *a, gen_helper_gvec_3 *fn)
     return gen_gvec_ool_zzz(s, fn, a->rd, a->rn, a->rm, a->imm);
 }
 
-TRANS_FEAT(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
-TRANS_FEAT(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
-TRANS_FEAT(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
-TRANS_FEAT(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
+TRANS_FEAT_NONSTREAMING(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
+TRANS_FEAT_NONSTREAMING(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
+TRANS_FEAT_NONSTREAMING(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
+TRANS_FEAT_NONSTREAMING(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
 
 /*
  *** SVE Integer Misc - Unpredicated Group
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 2 --
 target/arm/translate-sve.c | 9 ++++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/translate-sve.c | 22 ++++++++++++----------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
-FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
-FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
 FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
 FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_2 * const fexpa_fns[4] = {
     NULL,                   gen_helper_sve_fexpa_h,
     gen_helper_sve_fexpa_s, gen_helper_sve_fexpa_d,
 };
-TRANS_FEAT(FEXPA, aa64_sve, gen_gvec_ool_zz,
-           fexpa_fns[a->esz], a->rd, a->rn, 0)
+TRANS_FEAT_NONSTREAMING(FEXPA, aa64_sve, gen_gvec_ool_zz,
+                        fexpa_fns[a->esz], a->rd, a->rn, 0)
 
 static gen_helper_gvec_3 * const ftssel_fns[4] = {
     NULL,                    gen_helper_sve_ftssel_h,
     gen_helper_sve_ftssel_s, gen_helper_sve_ftssel_d,
 };
-TRANS_FEAT(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz, ftssel_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz,
+                        ftssel_fns[a->esz], a, 0)
 
 /*
  *** SVE Predicate Logical Operations Group
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(TRN2_q, aa64_sve_f64mm, gen_gvec_ool_arg_zzz,
 static gen_helper_gvec_3 * const compact_fns[4] = {
     NULL, NULL, gen_helper_sve_compact_s, gen_helper_sve_compact_d
 };
-TRANS_FEAT(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz, compact_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz,
+                        compact_fns[a->esz], a, 0)
 
 /* Call the helper that computes the ARM LastActiveElement pseudocode
  * function, scaled by the element size.  This includes the not found
@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3 * const bext_fns[4] = {
     gen_helper_sve2_bext_b, gen_helper_sve2_bext_h,
     gen_helper_sve2_bext_s, gen_helper_sve2_bext_d,
 };
-TRANS_FEAT(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bext_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bext_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const bdep_fns[4] = {
     gen_helper_sve2_bdep_b, gen_helper_sve2_bdep_h,
     gen_helper_sve2_bdep_s, gen_helper_sve2_bdep_d,
 };
-TRANS_FEAT(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bdep_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bdep_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const bgrp_fns[4] = {
     gen_helper_sve2_bgrp_b, gen_helper_sve2_bgrp_h,
     gen_helper_sve2_bgrp_s, gen_helper_sve2_bgrp_d,
 };
-TRANS_FEAT(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bgrp_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bgrp_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const cadd_fns[4] = {
     gen_helper_sve2_cadd_b, gen_helper_sve2_cadd_h,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  2 --
 target/arm/translate-sve.c | 24 +++++++++++++++---------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
-FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
 FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
 FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_trans_pmull(DisasContext *s, arg_rrr_esz *a, bool sel)
         gen_helper_gvec_pmull_q, gen_helper_sve2_pmull_h,
         NULL,                    gen_helper_sve2_pmull_d,
     };
-    if (a->esz == 0
-        ? !dc_isar_feature(aa64_sve2_pmull128, s)
-        : !dc_isar_feature(aa64_sve, s)) {
+
+    if (a->esz == 0) {
+        if (!dc_isar_feature(aa64_sve2_pmull128, s)) {
+            return false;
+        }
+        s->is_nonstreaming = true;
+    } else if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
     return gen_gvec_ool_arg_zzz(s, fns[a->esz], a, sel);
@@ -XXX,XX +XXX,XX @@ DO_ZPZZ_FP(FMINP, aa64_sve2, sve2_fminp_zpzz)
  * SVE Integer Multiply-Add (unpredicated)
  */
 
-TRANS_FEAT(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_s,
-           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
-TRANS_FEAT(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_d,
-           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
+TRANS_FEAT_NONSTREAMING(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz,
+                        gen_helper_fmmla_s, a->rd, a->rn, a->rm, a->ra,
+                        0, FPST_FPCR)
+TRANS_FEAT_NONSTREAMING(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz,
+                        gen_helper_fmmla_d, a->rd, a->rn, a->rm, a->ra,
+                        0, FPST_FPCR)
 
 static gen_helper_gvec_4 * const sqdmlal_zzzw_fns[] = {
     NULL,                           gen_helper_sve2_sqdmlal_zzzw_h,
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
 TRANS_FEAT(BFDOT_zzxz, aa64_sve_bf16, gen_gvec_ool_arg_zzxz,
            gen_helper_gvec_bfdot_idx, a)
 
-TRANS_FEAT(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
-           gen_helper_gvec_bfmmla, a, 0)
+TRANS_FEAT_NONSTREAMING(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
+                        gen_helper_gvec_bfmmla, a, 0)
 
 static bool do_BFMLAL_zzzw(DisasContext *s, arg_rrrr_esz *a, bool sel)
 {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/translate-sve.c | 15 +++++++++++----
 2 files changed, 11 insertions(+), 7 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  1 -
 target/arm/translate-sve.c | 12 ++++++------
 2 files changed, 6 insertions(+), 7 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  1 -
 target/arm/translate-sve.c | 35 ++++++++++++++++++-----------------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
 FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ DO_SVE2_ZZZ_NARROW(RSUBHNT, rsubhnt)
 static gen_helper_gvec_flags_4 * const match_fns[4] = {
     gen_helper_sve2_match_ppzz_b, gen_helper_sve2_match_ppzz_h, NULL, NULL
 };
-TRANS_FEAT(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
+TRANS_FEAT_NONSTREAMING(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
 
 static gen_helper_gvec_flags_4 * const nmatch_fns[4] = {
     gen_helper_sve2_nmatch_ppzz_b, gen_helper_sve2_nmatch_ppzz_h, NULL, NULL
 };
-TRANS_FEAT(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
+TRANS_FEAT_NONSTREAMING(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
 
 static gen_helper_gvec_4 * const histcnt_fns[4] = {
     NULL, NULL, gen_helper_sve2_histcnt_s, gen_helper_sve2_histcnt_d
 };
-TRANS_FEAT(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
-           histcnt_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
+                        histcnt_fns[a->esz], a, 0)
 
-TRANS_FEAT(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
-           a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
+TRANS_FEAT_NONSTREAMING(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
+                        a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
 
 DO_ZPZZ_FP(FADDP, aa64_sve2, sve2_faddp_zpzz)
 DO_ZPZZ_FP(FMAXNMP, aa64_sve2, sve2_fmaxnmp_zpzz)
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(SQRDCMLAH_zzzz, aa64_sve2, gen_gvec_ool_zzzz,
 TRANS_FEAT(USDOT_zzzz, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
            a->esz == 2 ? gen_helper_gvec_usdot_b : NULL, a, 0)
 
-TRANS_FEAT(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
-           gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
+TRANS_FEAT_NONSTREAMING(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
+                        gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
 
-TRANS_FEAT(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_aese, a, false)
-TRANS_FEAT(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_aese, a, true)
+TRANS_FEAT_NONSTREAMING(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_aese, a, false)
+TRANS_FEAT_NONSTREAMING(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_aese, a, true)
 
-TRANS_FEAT(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_sm4e, a, 0)
-TRANS_FEAT(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_sm4ekey, a, 0)
+TRANS_FEAT_NONSTREAMING(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_sm4e, a, 0)
+TRANS_FEAT_NONSTREAMING(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_sm4ekey, a, 0)
 
-TRANS_FEAT(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz, gen_gvec_rax1, a)
+TRANS_FEAT_NONSTREAMING(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz,
+                        gen_gvec_rax1, a)
 
 TRANS_FEAT(FCVTNT_sh, aa64_sve2, gen_gvec_fpst_arg_zpz,
            gen_helper_sve2_fcvtnt_sh, a, 0, FPST_FPCR)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 9 ---------
 target/arm/translate-sve.c | 6 ++++++
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
-FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
-FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
-FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
-FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
 FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
 FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
-FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
-FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
-FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
-FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zprz(DisasContext *s, arg_LD1_zprz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zpiz(DisasContext *s, arg_LD1_zpiz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDNT1_zprz(DisasContext *s, arg_LD1_zprz *a)
     if (!dc_isar_feature(aa64_sve2, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zprz(DisasContext *s, arg_ST1_zprz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zpiz(DisasContext *s, arg_ST1_zpiz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_STNT1_zprz(DisasContext *s, arg_ST1_zprz *a)
     if (!dc_isar_feature(aa64_sve2, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap if full
a64 support is not enabled in streaming mode.  In this case, introduce
PRF_ns (prefetch non-streaming) to handle the checks.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/sve.decode      | 10 +++++-----
 target/arm/translate-sve.c | 11 +++++++++++
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
-FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
 FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
-FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ LD1RO_zpri      1010010 .. 01 0.... 001 ... ..... ..... \
                 @rpri_load_msz nreg=0
 
 # SVE 32-bit gather prefetch (scalar plus 32-bit scaled offsets)
-PRF             1000010 00 -1 ----- 0-- --- ----- 0 ----
+PRF_ns          1000010 00 -1 ----- 0-- --- ----- 0 ----
 
 # SVE 32-bit gather prefetch (vector plus immediate)
-PRF             1000010 -- 00 ----- 111 --- ----- 0 ----
+PRF_ns          1000010 -- 00 ----- 111 --- ----- 0 ----
 
 # SVE contiguous prefetch (scalar plus immediate)
 PRF             1000010 11 1- ----- 0-- --- ----- 0 ----
@@ -XXX,XX +XXX,XX @@ LD1_zpiz        1100010 .. 01 ..... 1.. ... ..... ..... \
                 @rpri_g_load esz=3
 
 # SVE 64-bit gather prefetch (scalar plus 64-bit scaled offsets)
-PRF             1100010 00 11 ----- 1-- --- ----- 0 ----
+PRF_ns          1100010 00 11 ----- 1-- --- ----- 0 ----
 
 # SVE 64-bit gather prefetch (scalar plus unpacked 32-bit scaled offsets)
-PRF             1100010 00 -1 ----- 0-- --- ----- 0 ----
+PRF_ns          1100010 00 -1 ----- 0-- --- ----- 0 ----
 
 # SVE 64-bit gather prefetch (vector plus immediate)
-PRF             1100010 -- 00 ----- 111 --- ----- 0 ----
+PRF_ns          1100010 -- 00 ----- 111 --- ----- 0 ----
 
 ### SVE Memory Store Group
 
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_PRF_rr(DisasContext *s, arg_PRF_rr *a)
     return true;
 }
 
+static bool trans_PRF_ns(DisasContext *s, arg_PRF_ns *a)
+{
+    if (!dc_isar_feature(aa64_sve, s)) {
+        return false;
+    }
+    /* Prefetch is a nop within QEMU.  */
+    s->is_nonstreaming = true;
+    (void)sve_access_check(s);
+    return true;
+}
+
 /*
  * Move Prefix
  *
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 2 --
 target/arm/translate-sve.c | 2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 3 ---
 target/arm/translate-sve.c | 2 ++
 2 files changed, 2 insertions(+), 3 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

These functions will be used to verify that the cpu
is in the correct state for a given instruction.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h | 21 +++++++++++++++++++++
 target/arm/translate-a64.c | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void write_fp_dreg(DisasContext *s, int reg, TCGv_i64 v);
 bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
                             unsigned int imms, unsigned int immr);
 bool sve_access_check(DisasContext *s);
+bool sme_enabled_check(DisasContext *s);
+bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);
+
+/* This function corresponds to CheckStreamingSVEEnabled. */
+static inline bool sme_sm_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK);
+}
+
+/* This function corresponds to CheckSMEAndZAEnabled. */
+static inline bool sme_za_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_ZA_MASK);
+}
+
+/* Note that this function corresponds to CheckStreamingSVEAndZAEnabled. */
+static inline bool sme_smza_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK | R_SVCR_ZA_MASK);
+}
+
 TCGv_i64 clean_data_tbi(DisasContext *s, TCGv_i64 addr);
 TCGv_i64 gen_mte_check1(DisasContext *s, TCGv_i64 addr, bool is_write,
                         bool tag_checked, int log2_size);
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool sme_access_check(DisasContext *s)
     return true;
 }
 
+/* This function corresponds to CheckSMEEnabled. */
+bool sme_enabled_check(DisasContext *s)
+{
+    /*
+     * Note that unlike sve_excp_el, we have not constrained sme_excp_el
+     * to be zero when fp_excp_el has priority.  This is because we need
+     * sme_excp_el by itself for cpregs access checks.
+     */
+    if (!s->fp_excp_el || s->sme_excp_el < s->fp_excp_el) {
+        s->fp_access_checked = true;
+        return sme_access_check(s);
+    }
+    return fp_access_check_only(s);
+}
+
+/* Common subroutine for CheckSMEAnd*Enabled. */
+bool sme_enabled_check_with_svcr(DisasContext *s, unsigned req)
+{
+    if (!sme_enabled_check(s)) {
+        return false;
+    }
+    if (FIELD_EX64(req, SVCR, SM) && !s->pstate_sm) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_NotStreaming, false));
+        return false;
+    }
+    if (FIELD_EX64(req, SVCR, ZA) && !s->pstate_za) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_InactiveZA, false));
+        return false;
+    }
+    return true;
+}
+
 /*
  * This utility function is for doing register extension with an
  * optional shift. You will likely want to pass a temporary for the
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The pseudocode for CheckSVEEnabled gains a check for Streaming
SVE mode, and for SME present but SVE absent.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
     return true;
 }
 
-/* Check that SVE access is enabled.  If it is, return true.
+/*
+ * Check that SVE access is enabled.  If it is, return true.
  * If not, emit code to generate an appropriate exception and return false.
+ * This function corresponds to CheckSVEEnabled().
  */
 bool sve_access_check(DisasContext *s)
 {
-    if (s->sve_excp_el) {
-        assert(!s->sve_access_checked);
-        s->sve_access_checked = true;
-
+    if (s->pstate_sm || !dc_isar_feature(aa64_sve, s)) {
+        assert(dc_isar_feature(aa64_sme, s));
+        if (!sme_sm_enabled_check(s)) {
+            goto fail_exit;
+        }
+    } else if (s->sve_excp_el) {
         gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
                               syn_sve_access_trap(), s->sve_excp_el);
-        return false;
+        goto fail_exit;
     }
     s->sve_access_checked = true;
     return fp_access_check(s);
+
+ fail_exit:
+    /* Assert that we only raise one exception per instruction. */
+    assert(!s->sve_access_checked);
+    s->sve_access_checked = true;
+    return false;
 }
 
 /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

These SME instructions are nominally within the SVE decode space,
so we add them to sve.decode and translate-sve.c.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-18-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h | 12 ++++++++++++
 target/arm/sve.decode      |  5 ++++-
 target/arm/translate-sve.c | 38 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ static inline int vec_full_reg_size(DisasContext *s)
     return s->vl;
 }
 
+/* Return the byte size of the vector register, SVL / 8. */
+static inline int streaming_vec_reg_size(DisasContext *s)
+{
+    return s->svl;
+}
+
 /*
  * Return the offset info CPUARMState of the predicate vector register Pn.
  * Note for this purpose, FFR is P16.
@@ -XXX,XX +XXX,XX @@ static inline int pred_full_reg_size(DisasContext *s)
     return s->vl >> 3;
 }
 
+/* Return the byte size of the predicate register, SVL / 64.  */
+static inline int streaming_pred_reg_size(DisasContext *s)
+{
+    return s->svl >> 3;
+}
+
 /*
  * Round up the size of a register to a size allowed by
  * the tcg vector infrastructure.  Any operation which uses this
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ INDEX_ri        00000100 esz:2 1 imm:s5 010001 rn:5 rd:5
 # SVE index generation (register start, register increment)
 INDEX_rr        00000100 .. 1 ..... 010011 ..... .....          @rd_rn_rm
 
-### SVE Stack Allocation Group
+### SVE / Streaming SVE Stack Allocation Group
 
 # SVE stack frame adjustment
 ADDVL           00000100 001 ..... 01010 ...... .....           @rd_rn_i6
+ADDSVL          00000100 001 ..... 01011 ...... .....           @rd_rn_i6
 ADDPL           00000100 011 ..... 01010 ...... .....           @rd_rn_i6
+ADDSPL          00000100 011 ..... 01011 ...... .....           @rd_rn_i6
 
 # SVE stack frame size
 RDVL            00000100 101 11111 01010 imm:s6 rd:5
+RDSVL           00000100 101 11111 01011 imm:s6 rd:5
 
 ### SVE Bitwise Shift - Unpredicated Group
 
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDVL(DisasContext *s, arg_ADDVL *a)
     return true;
 }
 
+static bool trans_ADDSVL(DisasContext *s, arg_ADDSVL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_vec_reg_size(s));
+    }
+    return true;
+}
+
 static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
 {
     if (!dc_isar_feature(aa64_sve, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
     return true;
 }
 
+static bool trans_ADDSPL(DisasContext *s, arg_ADDSPL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_pred_reg_size(s));
+    }
+    return true;
+}
+
 static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
 {
     if (!dc_isar_feature(aa64_sve, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
     return true;
 }
 
+static bool trans_RDSVL(DisasContext *s, arg_RDSVL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 reg = cpu_reg(s, a->rd);
+        tcg_gen_movi_i64(reg, a->imm * streaming_vec_reg_size(s));
+    }
+    return true;
+}
+
 /*
  *** SVE Compute Vector Address Group
  */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-19-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  4 ++++
 target/arm/sme_helper.c    | 25 +++++++++++++++++++++++++
 target/arm/translate-sme.c | 13 +++++++++++++
 4 files changed, 44 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

We can reuse the SVE functions for implementing moves to/from
horizontal tile slices, but we need new ones for moves to/from
vertical tile slices.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-20-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  12 +++
 target/arm/helper-sve.h    |   2 +
 target/arm/translate-a64.h |   8 ++
 target/arm/translate.h     |   5 ++
 target/arm/sme.decode      |  15 ++++
 target/arm/sme_helper.c    | 151 ++++++++++++++++++++++++++++++++++++-
 target/arm/sve_helper.c    |  12 +++
 target/arm/translate-sme.c | 127 +++++++++++++++++++++++++++++++
 8 files changed, 331 insertions(+), 1 deletion(-)

From: Richard Henderson <richard.henderson@linaro.org>

We cannot reuse the SVE functions for LD[1-4] and ST[1-4],
because those functions accept only a Zreg register number.
For SME, we want to pass a pointer into ZA storage.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-21-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  82 +++++
 target/arm/sme.decode      |   9 +
 target/arm/sme_helper.c    | 595 +++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c |  70 +++++
 4 files changed, 756 insertions(+)

diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-sme.h
+++ b/target/arm/helper-sme.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
diff --git a/target/arm/sme.decode b/target/arm/sme.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme.decode
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
                 &mova to_vec=1 rs=%mova_rs
 MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
                 &mova to_vec=1 rs=%mova_rs esz=4
+
+### SME Memory
+
+&ldst           esz rs pg rn rm za_imm v:bool st:bool
+
+LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
+                &ldst rs=%mova_rs
+LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
+                &ldst esz=4 rs=%mova_rs
diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme_helper.c
+++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "cpu.h"
+#include "internals.h"
 #include "tcg/tcg-gvec-desc.h"
 #include "exec/helper-proto.h"
+#include "exec/cpu_ldst.h"
+#include "exec/exec-all.h"
 #include "qemu/int128.h"
 #include "vec_internal.h"
+#include "sve_ldst_internal.h"
 
 /* ResetSVEState */
 void arm_reset_sve_state(CPUARMState *env)
@@ -XXX,XX +XXX,XX @@ void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
 }
 
 #undef DO_MOVA_Z
+
+/*
+ * Clear elements in a tile slice comprising len bytes.
+ */
+
+typedef void ClearFn(void *ptr, size_t off, size_t len);
+
+static void clear_horizontal(void *ptr, size_t off, size_t len)
+{
+    memset(ptr + off, 0, len);
+}
+
+static void clear_vertical_b(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; ++i) {
+        *(uint8_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_h(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 2) {
+        *(uint16_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_s(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 4) {
+        *(uint32_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_d(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 8) {
+        *(uint64_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_q(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 16) {
+        memset(vptr + tile_vslice_offset(i + off), 0, 16);
+    }
+}
+
+/*
+ * Copy elements from an array into a tile slice comprising len bytes.
+ */
+
+typedef void CopyFn(void *dst, const void *src, size_t len);
+
+static void copy_horizontal(void *dst, const void *src, size_t len)
+{
+    memcpy(dst, src, len);
+}
+
+static void copy_vertical_b(void *vdst, const void *vsrc, size_t len)
+{
+    const uint8_t *src = vsrc;
+    uint8_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_h(void *vdst, const void *vsrc, size_t len)
+{
+    const uint16_t *src = vsrc;
+    uint16_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 2; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_s(void *vdst, const void *vsrc, size_t len)
+{
+    const uint32_t *src = vsrc;
+    uint32_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 4; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_d(void *vdst, const void *vsrc, size_t len)
+{
+    const uint64_t *src = vsrc;
+    uint64_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 8; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_q(void *vdst, const void *vsrc, size_t len)
+{
+    for (size_t i = 0; i < len; i += 16) {
+        memcpy(vdst + tile_vslice_offset(i), vsrc + i, 16);
+    }
+}
+
+/*
+ * Host and TLB primitives for vertical tile slice addressing.
+ */
+
+#define DO_LD(NAME, TYPE, HOST, TLB)                                        \
+static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
+{                                                                           \
+    TYPE val = HOST(host);                                                  \
+    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
+}                                                                           \
+static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
+                        intptr_t off, target_ulong addr, uintptr_t ra)      \
+{                                                                           \
+    TYPE val = TLB(env, useronly_clean_ptr(addr), ra);                      \
+    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
+}
+
+#define DO_ST(NAME, TYPE, HOST, TLB)                                        \
+static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
+{                                                                           \
+    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
+    HOST(host, val);                                                        \
+}                                                                           \
+static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
+                        intptr_t off, target_ulong addr, uintptr_t ra)      \
+{                                                                           \
+    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
+    TLB(env, useronly_clean_ptr(addr), val, ra);                            \
+}
+
+/*
+ * The ARMVectorReg elements are stored in host-endian 64-bit units.
+ * For 128-bit quantities, the sequence defined by the Elem[] pseudocode
+ * corresponds to storing the two 64-bit pieces in little-endian order.
+ */
+#define DO_LDQ(HNAME, VNAME, BE, HOST, TLB)                                 \
+static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
+{                                                                           \
+    uint64_t val0 = HOST(host), val1 = HOST(host + 8);                      \
+    uint64_t *ptr = za + off;                                               \
+    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
+}                                                                           \
+static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
+{                                                                           \
+    HNAME##_host(za, tile_vslice_offset(off), host);                        \
+}                                                                           \
+static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    uint64_t val0 = TLB(env, useronly_clean_ptr(addr), ra);                 \
+    uint64_t val1 = TLB(env, useronly_clean_ptr(addr + 8), ra);             \
+    uint64_t *ptr = za + off;                                               \
+    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
+}                                                                           \
+static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
+}
+
+#define DO_STQ(HNAME, VNAME, BE, HOST, TLB)                                 \
+static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
+{                                                                           \
+    uint64_t *ptr = za + off;                                               \
+    HOST(host, ptr[BE]);                                                    \
+    HOST(host + 1, ptr[!BE]);                                               \
+}                                                                           \
+static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
+{                                                                           \
+    HNAME##_host(za, tile_vslice_offset(off), host);                        \
+}                                                                           \
+static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    uint64_t *ptr = za + off;                                               \
+    TLB(env, useronly_clean_ptr(addr), ptr[BE], ra);                        \
+    TLB(env, useronly_clean_ptr(addr + 8), ptr[!BE], ra);                   \
+}                                                                           \
+static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
+}
+
+DO_LD(ld1b, uint8_t, ldub_p, cpu_ldub_data_ra)
+DO_LD(ld1h_be, uint16_t, lduw_be_p, cpu_lduw_be_data_ra)
+DO_LD(ld1h_le, uint16_t, lduw_le_p, cpu_lduw_le_data_ra)
+DO_LD(ld1s_be, uint32_t, ldl_be_p, cpu_ldl_be_data_ra)
+DO_LD(ld1s_le, uint32_t, ldl_le_p, cpu_ldl_le_data_ra)
+DO_LD(ld1d_be, uint64_t, ldq_be_p, cpu_ldq_be_data_ra)
+DO_LD(ld1d_le, uint64_t, ldq_le_p, cpu_ldq_le_data_ra)
+
+DO_LDQ(sve_ld1qq_be, sme_ld1q_be, 1, ldq_be_p, cpu_ldq_be_data_ra)
+DO_LDQ(sve_ld1qq_le, sme_ld1q_le, 0, ldq_le_p, cpu_ldq_le_data_ra)
+
+DO_ST(st1b, uint8_t, stb_p, cpu_stb_data_ra)
+DO_ST(st1h_be, uint16_t, stw_be_p, cpu_stw_be_data_ra)
+DO_ST(st1h_le, uint16_t, stw_le_p, cpu_stw_le_data_ra)
+DO_ST(st1s_be, uint32_t, stl_be_p, cpu_stl_be_data_ra)
+DO_ST(st1s_le, uint32_t, stl_le_p, cpu_stl_le_data_ra)
+DO_ST(st1d_be, uint64_t, stq_be_p, cpu_stq_be_data_ra)
+DO_ST(st1d_le, uint64_t, stq_le_p, cpu_stq_le_data_ra)
+
+DO_STQ(sve_st1qq_be, sme_st1q_be, 1, stq_be_p, cpu_stq_be_data_ra)
+DO_STQ(sve_st1qq_le, sme_st1q_le, 0, stq_le_p, cpu_stq_le_data_ra)
+
+#undef DO_LD
+#undef DO_ST
+#undef DO_LDQ
+#undef DO_STQ
+
+/*
+ * Common helper for all contiguous predicated loads.
+ */
+
+static inline QEMU_ALWAYS_INLINE
+void sme_ld1(CPUARMState *env, void *za, uint64_t *vg,
+             const target_ulong addr, uint32_t desc, const uintptr_t ra,
+             const int esz, uint32_t mtedesc, bool vertical,
+             sve_ldst1_host_fn *host_fn,
+             sve_ldst1_tlb_fn *tlb_fn,
+             ClearFn *clr_fn,
+             CopyFn *cpy_fn)
+{
+    const intptr_t reg_max = simd_oprsz(desc);
+    const intptr_t esize = 1 << esz;
+    intptr_t reg_off, reg_last;
+    SVEContLdSt info;
+    void *host;
+    int flags;
+
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
+        /* The entire predicate was false; no load occurs.  */
+        clr_fn(za, 0, reg_max);
+        return;
+    }
+
+    /* Probe the page(s).  Exit with exception for any invalid page. */
+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, ra);
+
+    /* Handle watchpoints for all active elements. */
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
+                              BP_MEM_READ, ra);
+
+    /*
+     * Handle mte checks for all active elements.
+     * Since TBI must be set for MTE, !mtedesc => !mte_active.
+     */
+    if (mtedesc) {
+        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
+                                mtedesc, ra);
+    }
+
+    flags = info.page[0].flags | info.page[1].flags;
+    if (unlikely(flags != 0)) {
+#ifdef CONFIG_USER_ONLY
+        g_assert_not_reached();
+#else
+        /*
+         * At least one page includes MMIO.
+         * Any bus operation can fail with cpu_transaction_failed,
+         * which for ARM will raise SyncExternal.  Perform the load
+         * into scratch memory to preserve register state until the end.
+         */
+        ARMVectorReg scratch = { };
+
+        reg_off = info.reg_off_first[0];
+        reg_last = info.reg_off_last[1];
+        if (reg_last < 0) {
+            reg_last = info.reg_off_split;
+            if (reg_last < 0) {
+                reg_last = info.reg_off_last[0];
+            }
+        }
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    tlb_fn(env, &scratch, reg_off, addr + reg_off, ra);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+
+        cpy_fn(za, &scratch, reg_max);
+        return;
+#endif
+    }
+
+    /* The entire operation is in RAM, on valid pages. */
+
+    reg_off = info.reg_off_first[0];
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
+
+    if (!vertical) {
+        memset(za, 0, reg_max);
+    } else if (reg_off) {
+        clr_fn(za, 0, reg_off);
+    }
+
+    while (reg_off <= reg_last) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                host_fn(za, reg_off, host + reg_off);
+            } else if (vertical) {
+                clr_fn(za, reg_off, esize);
+            }
+            reg_off += esize;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    }
+
+    /*
+     * Use the slow path to manage the cross-page misalignment.
+     * But we know this is RAM and cannot trap.
+     */
+    reg_off = info.reg_off_split;
+    if (unlikely(reg_off >= 0)) {
+        tlb_fn(env, za, reg_off, addr + reg_off, ra);
+    }
+
+    reg_off = info.reg_off_first[1];
+    if (unlikely(reg_off >= 0)) {
+        reg_last = info.reg_off_last[1];
+        host = info.page[1].host;
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    host_fn(za, reg_off, host + reg_off);
+                } else if (vertical) {
+                    clr_fn(za, reg_off, esize);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+    }
+}
+
+static inline QEMU_ALWAYS_INLINE
+void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
+                 target_ulong addr, uint32_t desc, uintptr_t ra,
+                 const int esz, bool vertical,
+                 sve_ldst1_host_fn *host_fn,
+                 sve_ldst1_tlb_fn *tlb_fn,
+                 ClearFn *clr_fn,
+                 CopyFn *cpy_fn)
+{
+    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+    int bit55 = extract64(addr, 55, 1);
+
+    /* Remove mtedesc from the normal sve descriptor. */
+    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+    /* Perform gross MTE suppression early. */
+    if (!tbi_check(desc, bit55) ||
+        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+        mtedesc = 0;
+    }
+
+    sme_ld1(env, za, vg, addr, desc, ra, esz, mtedesc, vertical,
+            host_fn, tlb_fn, clr_fn, cpy_fn);
+}
+
+#define DO_LD(L, END, ESZ)                                                 \
+void HELPER(sme_ld1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
+            sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,           \
+            clear_horizontal, copy_horizontal);                            \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
+            sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,             \
+            clear_vertical_##L, copy_vertical_##L);                        \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
+                sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,       \
+                clear_horizontal, copy_horizontal);                        \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
+                sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,         \
+                clear_vertical_##L, copy_vertical_##L);                    \
+}
+
+DO_LD(b, , MO_8)
+DO_LD(h, _be, MO_16)
+DO_LD(h, _le, MO_16)
+DO_LD(s, _be, MO_32)
+DO_LD(s, _le, MO_32)
+DO_LD(d, _be, MO_64)
+DO_LD(d, _le, MO_64)
+DO_LD(q, _be, MO_128)
+DO_LD(q, _le, MO_128)
+
+#undef DO_LD
+
+/*
+ * Common helper for all contiguous predicated stores.
+ */
+
+static inline QEMU_ALWAYS_INLINE
+void sme_st1(CPUARMState *env, void *za, uint64_t *vg,
+             const target_ulong addr, uint32_t desc, const uintptr_t ra,
+             const int esz, uint32_t mtedesc, bool vertical,
+             sve_ldst1_host_fn *host_fn,
+             sve_ldst1_tlb_fn *tlb_fn)
+{
+    const intptr_t reg_max = simd_oprsz(desc);
+    const intptr_t esize = 1 << esz;
+    intptr_t reg_off, reg_last;
+    SVEContLdSt info;
+    void *host;
+    int flags;
+
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
+        /* The entire predicate was false; no store occurs.  */
+        return;
+    }
+
+    /* Probe the page(s).  Exit with exception for any invalid page. */
+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_STORE, ra);
+
+    /* Handle watchpoints for all active elements. */
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
+                              BP_MEM_WRITE, ra);
+
+    /*
+     * Handle mte checks for all active elements.
+     * Since TBI must be set for MTE, !mtedesc => !mte_active.
+     */
+    if (mtedesc) {
+        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
+                                mtedesc, ra);
+    }
+
+    flags = info.page[0].flags | info.page[1].flags;
+    if (unlikely(flags != 0)) {
+#ifdef CONFIG_USER_ONLY
+        g_assert_not_reached();
+#else
+        /*
+         * At least one page includes MMIO.
+         * Any bus operation can fail with cpu_transaction_failed,
+         * which for ARM will raise SyncExternal.  We cannot avoid
+         * this fault and will leave with the store incomplete.
+         */
+        reg_off = info.reg_off_first[0];
+        reg_last = info.reg_off_last[1];
+        if (reg_last < 0) {
+            reg_last = info.reg_off_split;
+            if (reg_last < 0) {
+                reg_last = info.reg_off_last[0];
+            }
+        }
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    tlb_fn(env, za, reg_off, addr + reg_off, ra);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+        return;
+#endif
+    }
+
+    reg_off = info.reg_off_first[0];
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
+
+    while (reg_off <= reg_last) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                host_fn(za, reg_off, host + reg_off);
+            }
+            reg_off += 1 << esz;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    }
+
+    /*
+     * Use the slow path to manage the cross-page misalignment.
+     * But we know this is RAM and cannot trap.
+     */
+    reg_off = info.reg_off_split;
+    if (unlikely(reg_off >= 0)) {
+        tlb_fn(env, za, reg_off, addr + reg_off, ra);
+    }
+
+    reg_off = info.reg_off_first[1];
+    if (unlikely(reg_off >= 0)) {
+        reg_last = info.reg_off_last[1];
+        host = info.page[1].host;
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    host_fn(za, reg_off, host + reg_off);
+                }
+                reg_off += 1 << esz;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+    }
+}
+
+static inline QEMU_ALWAYS_INLINE
+void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
+                 uint32_t desc, uintptr_t ra, int esz, bool vertical,
+                 sve_ldst1_host_fn *host_fn,
+                 sve_ldst1_tlb_fn *tlb_fn)
+{
+    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+    int bit55 = extract64(addr, 55, 1);
+
+    /* Remove mtedesc from the normal sve descriptor. */
+    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+    /* Perform gross MTE suppression early. */
+    if (!tbi_check(desc, bit55) ||
+        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+        mtedesc = 0;
+    }
+
+    sme_st1(env, za, vg, addr, desc, ra, esz, mtedesc,
+            vertical, host_fn, tlb_fn);
+}
+
+#define DO_ST(L, END, ESZ)                                                 \
+void HELPER(sme_st1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
+            sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);          \
+}                                                                          \
+void HELPER(sme_st1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
+            sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);            \
+}                                                                          \
+void HELPER(sme_st1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
+                sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);      \
+}                                                                          \
+void HELPER(sme_st1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
+                sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);        \
+}
+
+DO_ST(b, , MO_8)
+DO_ST(h, _be, MO_16)
+DO_ST(h, _le, MO_16)
+DO_ST(s, _be, MO_32)
+DO_ST(s, _le, MO_32)
+DO_ST(d, _be, MO_64)
+DO_ST(d, _le, MO_64)
+DO_ST(q, _be, MO_128)
+DO_ST(q, _le, MO_128)
+
+#undef DO_ST
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sme.c
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
 
     return true;
 }
+
+static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
+{
+    typedef void GenLdSt1(TCGv_env, TCGv_ptr, TCGv_ptr, TCGv, TCGv_i32);
+
+    /*
+     * Indexed by [esz][be][v][mte][st], which is (except for load/store)
+     * also the order in which the elements appear in the function names,
+     * and so how we must concatenate the pieces.
+     */
+
+#define FN_LS(F)     { gen_helper_sme_ld1##F, gen_helper_sme_st1##F }
+#define FN_MTE(F)    { FN_LS(F), FN_LS(F##_mte) }
+#define FN_HV(F)     { FN_MTE(F##_h), FN_MTE(F##_v) }
+#define FN_END(L, B) { FN_HV(L), FN_HV(B) }
+
+    static GenLdSt1 * const fns[5][2][2][2][2] = {
+        FN_END(b, b),
+        FN_END(h_le, h_be),
+        FN_END(s_le, s_be),
+        FN_END(d_le, d_be),
+        FN_END(q_le, q_be),
+    };
+
+#undef FN_LS
+#undef FN_MTE
+#undef FN_HV
+#undef FN_END
+
+    TCGv_ptr t_za, t_pg;
+    TCGv_i64 addr;
+    int svl, desc = 0;
+    bool be = s->be_data == MO_BE;
+    bool mte = s->mte_active[0];
+
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (!sme_smza_enabled_check(s)) {
+        return true;
+    }
+
+    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
+    t_pg = pred_full_reg_ptr(s, a->pg);
+    addr = tcg_temp_new_i64();
+
+    tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);
+    tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));
+
+    if (mte) {
+        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
+        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
+        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
+        desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);
+        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);
+        desc <<= SVE_MTEDESC_SHIFT;
+    } else {
+        addr = clean_data_tbi(s, addr);
+    }
+    svl = streaming_vec_reg_size(s);
+    desc = simd_desc(svl, svl, desc);
+
+    fns[a->esz][be][a->v][mte][a->st](cpu_env, t_za, t_pg, addr,
+                                      tcg_constant_i32(desc));
+
+    tcg_temp_free_ptr(t_za);
+    tcg_temp_free_ptr(t_pg);
+    tcg_temp_free_i64(addr);
+    return true;
+}
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add a TCGv_ptr base argument, which will be cpu_env for SVE.
We will reuse this for SME save and restore array insns.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-22-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h |  3 +++
 target/arm/translate-sve.c | 48 ++++++++++++++++++++++++++++----------
 2 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void gen_gvec_xar(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                   uint32_t rm_ofs, int64_t shift,
                   uint32_t opr_sz, uint32_t max_sz);
 
+void gen_sve_ldr(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
+void gen_sve_str(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
+
 #endif /* TARGET_ARM_TRANSLATE_A64_H */
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(UCVTF_dd, aa64_sve, gen_gvec_fpst_arg_zpz,
  * The load should begin at the address Rn + IMM.
  */
 
-static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+void gen_sve_ldr(DisasContext *s, TCGv_ptr base, int vofs,
+                 int len, int rn, int imm)
 {
     int len_align = QEMU_ALIGN_DOWN(len, 8);
     int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         t0 = tcg_temp_new_i64();
         for (i = 0; i < len_align; i += 8) {
             tcg_gen_qemu_ld_i64(t0, clean_addr, midx, MO_LEUQ);
-            tcg_gen_st_i64(t0, cpu_env, vofs + i);
+            tcg_gen_st_i64(t0, base, vofs + i);
             tcg_gen_addi_i64(clean_addr, clean_addr, 8);
         }
         tcg_temp_free_i64(t0);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         clean_addr = new_tmp_a64_local(s);
         tcg_gen_mov_i64(clean_addr, t0);
 
+        if (base != cpu_env) {
+            TCGv_ptr b = tcg_temp_local_new_ptr();
+            tcg_gen_mov_ptr(b, base);
+            base = b;
+        }
+
         gen_set_label(loop);
 
         t0 = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         tcg_gen_addi_i64(clean_addr, clean_addr, 8);
 
         tp = tcg_temp_new_ptr();
-        tcg_gen_add_ptr(tp, cpu_env, i);
+        tcg_gen_add_ptr(tp, base, i);
         tcg_gen_addi_ptr(i, i, 8);
         tcg_gen_st_i64(t0, tp, vofs);
         tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
         tcg_temp_free_ptr(i);
+
+        if (base != cpu_env) {
+            tcg_temp_free_ptr(base);
+            assert(len_remain == 0);
+        }
     }
 
     /*
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         default:
             g_assert_not_reached();
         }
-        tcg_gen_st_i64(t0, cpu_env, vofs + len_align);
+        tcg_gen_st_i64(t0, base, vofs + len_align);
         tcg_temp_free_i64(t0);
     }
 }
 
 /* Similarly for stores.  */
-static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+void gen_sve_str(DisasContext *s, TCGv_ptr base, int vofs,
+                 int len, int rn, int imm)
 {
     int len_align = QEMU_ALIGN_DOWN(len, 8);
     int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         t0 = tcg_temp_new_i64();
         for (i = 0; i < len_align; i += 8) {
-            tcg_gen_ld_i64(t0, cpu_env, vofs + i);
+            tcg_gen_ld_i64(t0, base, vofs + i);
             tcg_gen_qemu_st_i64(t0, clean_addr, midx, MO_LEUQ);
             tcg_gen_addi_i64(clean_addr, clean_addr, 8);
         }
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         clean_addr = new_tmp_a64_local(s);
         tcg_gen_mov_i64(clean_addr, t0);
 
+        if (base != cpu_env) {
+            TCGv_ptr b = tcg_temp_local_new_ptr();
+            tcg_gen_mov_ptr(b, base);
+            base = b;
+        }
+
         gen_set_label(loop);
 
         t0 = tcg_temp_new_i64();
         tp = tcg_temp_new_ptr();
-        tcg_gen_add_ptr(tp, cpu_env, i);
+        tcg_gen_add_ptr(tp, base, i);
         tcg_gen_ld_i64(t0, tp, vofs);
         tcg_gen_addi_ptr(i, i, 8);
         tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
         tcg_temp_free_ptr(i);
+
+        if (base != cpu_env) {
+            tcg_temp_free_ptr(base);
+            assert(len_remain == 0);
+        }
     }
 
     /* Predicate register stores can be any multiple of 2.  */
     if (len_remain) {
         t0 = tcg_temp_new_i64();
-        tcg_gen_ld_i64(t0, cpu_env, vofs + len_align);
+        tcg_gen_ld_i64(t0, base, vofs + len_align);
 
         switch (len_remain) {
         case 2:
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_zri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = vec_full_reg_size(s);
         int off = vec_full_reg_offset(s, a->rd);
-        do_ldr(s, off, size, a->rn, a->imm * size);
+        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_pri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = pred_full_reg_size(s);
         int off = pred_full_reg_offset(s, a->rd);
-        do_ldr(s, off, size, a->rn, a->imm * size);
+        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_zri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = vec_full_reg_size(s);
         int off = vec_full_reg_offset(s, a->rd);
-        do_str(s, off, size, a->rn, a->imm * size);
+        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_pri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = pred_full_reg_size(s);
         int off = pred_full_reg_offset(s, a->rd);
-        do_str(s, off, size, a->rn, a->imm * size);
+        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We can reuse the SVE functions for LDR and STR, passing in the
base of the ZA vector and a zero offset.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-23-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme.decode      |  7 +++++++
 target/arm/translate-sme.c | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/target/arm/sme.decode b/target/arm/sme.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme.decode
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
                 &ldst rs=%mova_rs
 LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
                 &ldst esz=4 rs=%mova_rs
+
+&ldstr          rv rn imm
+@ldstr          ....... ... . ...... .. ... rn:5 . imm:4 \
+                &ldstr rv=%mova_rs
+
+LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
+STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sme.c
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
     tcg_temp_free_i64(addr);
     return true;
 }
+
+typedef void GenLdStR(DisasContext *, TCGv_ptr, int, int, int, int);
+
+static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
+{
+    int svl = streaming_vec_reg_size(s);
+    int imm = a->imm;
+    TCGv_ptr base;
+
+    if (!sme_za_enabled_check(s)) {
+        return true;
+    }
+
+    /* ZA[n] equates to ZA0H.B[n]. */
+    base = get_tile_rowcol(s, MO_8, a->rv, imm, false);
+
+    fn(s, base, 0, svl, a->rn, imm * svl);
+
+    tcg_temp_free_ptr(base);
+    return true;
+}
+
+TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
+TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-24-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  5 +++
 target/arm/sme.decode      | 11 +++++
 target/arm/sme_helper.c    | 90 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 31 +++++++++++++
 4 files changed, 137 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-25-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  5 +++
 target/arm/sme.decode      |  9 +++++
 target/arm/sme_helper.c    | 69 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 32 ++++++++++++++++++
 4 files changed, 115 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-26-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  2 ++
 target/arm/sme_helper.c    | 56 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 30 ++++++++++++++++++++
 4 files changed, 90 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-27-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  1 +
 target/arm/sme_helper.c    | 74 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c |  1 +
 4 files changed, 78 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This is SMOPA, SUMOPA, USMOPA_s, UMOPA, for both Int8 and Int16.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-28-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    | 16 ++++++++
 target/arm/sme.decode      | 10 +++++
 target/arm/sme_helper.c    | 82 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 10 +++++
 4 files changed, 118 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-29-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve.decode      | 20 +++++++++++++
 target/arm/translate-sve.c | 57 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)

diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ BFMLALT_zzxw    01100100 11 1 ..... 0100.1 ..... .....     @rrxr_3a esz=2
 
 ### SVE2 floating-point bfloat16 dot-product (indexed)
 BFDOT_zzxz      01100100 01 1 ..... 010000 ..... .....     @rrxr_2 esz=2
+
+### SVE broadcast predicate element
+
+&psel           esz pd pn pm rv imm
+%psel_rv        16:2 !function=plus_12
+%psel_imm_b     22:2 19:2
+%psel_imm_h     22:2 20:1
+%psel_imm_s     22:2
+%psel_imm_d     23:1
+@psel           ........ .. . ... .. .. pn:4 . pm:4 . pd:4  \
+                &psel rv=%psel_rv
+
+PSEL            00100101 .. 1 ..1 .. 01 .... 0 .... 0 ....  \
+                @psel esz=0 imm=%psel_imm_b
+PSEL            00100101 .. 1 .10 .. 01 .... 0 .... 0 ....  \
+                @psel esz=1 imm=%psel_imm_h
+PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
+                @psel esz=2 imm=%psel_imm_s
+PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
+                @psel esz=3 imm=%psel_imm_d
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_BFMLAL_zzxw(DisasContext *s, arg_rrxr_esz *a, bool sel)
 
 TRANS_FEAT(BFMLALB_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, false)
 TRANS_FEAT(BFMLALT_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, true)
+
+static bool trans_PSEL(DisasContext *s, arg_psel *a)
+{
+    int vl = vec_full_reg_size(s);
+    int pl = pred_gvec_reg_size(s);
+    int elements = vl >> a->esz;
+    TCGv_i64 tmp, didx, dbit;
+    TCGv_ptr ptr;
+
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (!sve_access_check(s)) {
+        return true;
+    }
+
+    tmp = tcg_temp_new_i64();
+    dbit = tcg_temp_new_i64();
+    didx = tcg_temp_new_i64();
+    ptr = tcg_temp_new_ptr();
+
+    /* Compute the predicate element. */
+    tcg_gen_addi_i64(tmp, cpu_reg(s, a->rv), a->imm);
+    if (is_power_of_2(elements)) {
+        tcg_gen_andi_i64(tmp, tmp, elements - 1);
+    } else {
+        tcg_gen_remu_i64(tmp, tmp, tcg_constant_i64(elements));
+    }
+
+    /* Extract the predicate byte and bit indices. */
+    tcg_gen_shli_i64(tmp, tmp, a->esz);
+    tcg_gen_andi_i64(dbit, tmp, 7);
+    tcg_gen_shri_i64(didx, tmp, 3);
+    if (HOST_BIG_ENDIAN) {
+        tcg_gen_xori_i64(didx, didx, 7);
+    }
+
+    /* Load the predicate word. */
+    tcg_gen_trunc_i64_ptr(ptr, didx);
+    tcg_gen_add_ptr(ptr, ptr, cpu_env);
+    tcg_gen_ld8u_i64(tmp, ptr, pred_full_reg_offset(s, a->pm));
+
+    /* Extract the predicate bit and replicate to MO_64. */
+    tcg_gen_shr_i64(tmp, tmp, dbit);
+    tcg_gen_andi_i64(tmp, tmp, 1);
+    tcg_gen_neg_i64(tmp, tmp);
+
+    /* Apply to either copy the source, or write zeros. */
+    tcg_gen_gvec_ands(MO_64, pred_full_reg_offset(s, a->pd),
+                      pred_full_reg_offset(s, a->pn), tmp, pl, pl);
+
+    tcg_temp_free_i64(tmp);
+    tcg_temp_free_i64(dbit);
+    tcg_temp_free_i64(didx);
+    tcg_temp_free_ptr(ptr);
+    return true;
+}
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-30-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sve.h    |  2 ++
 target/arm/sve.decode      |  1 +
 target/arm/sve_helper.c    | 16 ++++++++++++++++
 target/arm/translate-sve.c |  2 ++
 4 files changed, 21 insertions(+)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sve_revh_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
 DEF_HELPER_FLAGS_4(sve_revw_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_4(sme_revd_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
 DEF_HELPER_FLAGS_4(sve_rbit_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sve_rbit_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sve_rbit_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ REVB            00000101 .. 1001 00 100 ... ..... .....         @rd_pg_rn
 REVH            00000101 .. 1001 01 100 ... ..... .....         @rd_pg_rn
 REVW            00000101 .. 1001 10 100 ... ..... .....         @rd_pg_rn
 RBIT            00000101 .. 1001 11 100 ... ..... .....         @rd_pg_rn
+REVD            00000101 00 1011 10 100 ... ..... .....         @rd_pg_rn_e0
 
 # SVE vector splice (predicated, destructive)
 SPLICE          00000101 .. 101 100 100 ... ..... .....         @rdn_pg_rm
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_ZPZ_D(sve_revh_d, uint64_t, hswap64)
 
 DO_ZPZ_D(sve_revw_d, uint64_t, wswap64)
 
+void HELPER(sme_revd_q)(void *vd, void *vn, void *vg, uint32_t desc)
+{
+    intptr_t i, opr_sz = simd_oprsz(desc) / 8;
+    uint64_t *d = vd, *n = vn;
+    uint8_t *pg = vg;
+
+    for (i = 0; i < opr_sz; i += 2) {
+        if (pg[H1(i)] & 1) {
+            uint64_t n0 = n[i + 0];
+            uint64_t n1 = n[i + 1];
+            d[i + 0] = n1;
+            d[i + 1] = n0;
+        }
+    }
+}
+
 DO_ZPZ(sve_rbit_b, uint8_t, H1, revbit8)
 DO_ZPZ(sve_rbit_h, uint16_t, H1_2, revbit16)
 DO_ZPZ(sve_rbit_s, uint32_t, H1_4, revbit32)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(REVH, aa64_sve, gen_gvec_ool_arg_zpz, revh_fns[a->esz], a, 0)
 TRANS_FEAT(REVW, aa64_sve, gen_gvec_ool_arg_zpz,
            a->esz == 3 ? gen_helper_sve_revw_d : NULL, a, 0)
 
+TRANS_FEAT(REVD, aa64_sme, gen_gvec_ool_arg_zpz, gen_helper_sme_revd_q, a, 0)
+
 TRANS_FEAT(SPLICE, aa64_sve, gen_gvec_ool_arg_zpzz,
            gen_helper_sve_splice, a, a->esz)
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-31-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  18 +++++++
 target/arm/sve.decode      |   5 ++
 target/arm/translate-sve.c | 102 +++++++++++++++++++++++++++++++++++++
 target/arm/vec_helper.c    |  24 +++++++++
 4 files changed, 149 insertions(+)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(gvec_bfmlal, TCG_CALL_NO_RWG,
 DEF_HELPER_FLAGS_6(gvec_bfmlal_idx, TCG_CALL_NO_RWG,
                    void, ptr, ptr, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_5(gvec_sclamp_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_5(gvec_uclamp_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
                 @psel esz=2 imm=%psel_imm_s
 PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
                 @psel esz=3 imm=%psel_imm_d
+
+### SVE clamp
+
+SCLAMP          01000100 .. 0 ..... 110000 ..... .....          @rda_rn_rm
+UCLAMP          01000100 .. 0 ..... 110001 ..... .....          @rda_rn_rm
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_PSEL(DisasContext *s, arg_psel *a)
     tcg_temp_free_ptr(ptr);
     return true;
 }
+
+static void gen_sclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
+{
+    tcg_gen_smax_i32(d, a, n);
+    tcg_gen_smin_i32(d, d, m);
+}
+
+static void gen_sclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
+{
+    tcg_gen_smax_i64(d, a, n);
+    tcg_gen_smin_i64(d, d, m);
+}
+
+static void gen_sclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
+                           TCGv_vec m, TCGv_vec a)
+{
+    tcg_gen_smax_vec(vece, d, a, n);
+    tcg_gen_smin_vec(vece, d, d, m);
+}
+
+static void gen_sclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
+{
+    static const TCGOpcode vecop[] = {
+        INDEX_op_smin_vec, INDEX_op_smax_vec, 0
+    };
+    static const GVecGen4 ops[4] = {
+        { .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_b,
+          .opt_opc = vecop,
+          .vece = MO_8 },
+        { .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_h,
+          .opt_opc = vecop,
+          .vece = MO_16 },
+        { .fni4 = gen_sclamp_i32,
+          .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_s,
+          .opt_opc = vecop,
+          .vece = MO_32 },
+        { .fni8 = gen_sclamp_i64,
+          .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_d,
+          .opt_opc = vecop,
+          .vece = MO_64,
+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
+    };
+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
+}
+
+TRANS_FEAT(SCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_sclamp, a)
+
+static void gen_uclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
+{
+    tcg_gen_umax_i32(d, a, n);
+    tcg_gen_umin_i32(d, d, m);
+}
+
+static void gen_uclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
+{
+    tcg_gen_umax_i64(d, a, n);
+    tcg_gen_umin_i64(d, d, m);
+}
+
+static void gen_uclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
+                           TCGv_vec m, TCGv_vec a)
+{
+    tcg_gen_umax_vec(vece, d, a, n);
+    tcg_gen_umin_vec(vece, d, d, m);
+}
+
+static void gen_uclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
+{
+    static const TCGOpcode vecop[] = {
+        INDEX_op_umin_vec, INDEX_op_umax_vec, 0
+    };
+    static const GVecGen4 ops[4] = {
+        { .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_b,
+          .opt_opc = vecop,
+          .vece = MO_8 },
+        { .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_h,
+          .opt_opc = vecop,
+          .vece = MO_16 },
+        { .fni4 = gen_uclamp_i32,
+          .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_s,
+          .opt_opc = vecop,
+          .vece = MO_32 },
+        { .fni8 = gen_uclamp_i64,
+          .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_d,
+          .opt_opc = vecop,
+          .vece = MO_64,
+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
+    };
+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
+}
+
+TRANS_FEAT(UCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_uclamp, a)
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_bfmlal_idx)(void *vd, void *vn, void *vm,
     }
     clear_tail(d, opr_sz, simd_maxsz(desc));
 }
+
+#define DO_CLAMP(NAME, TYPE) \
+void HELPER(NAME)(void *d, void *n, void *m, void *a, uint32_t desc)    \
+{                                                                       \
+    intptr_t i, opr_sz = simd_oprsz(desc);                              \
+    for (i = 0; i < opr_sz; i += sizeof(TYPE)) {                        \
+        TYPE aa = *(TYPE *)(a + i);                                     \
+        TYPE nn = *(TYPE *)(n + i);                                     \
+        TYPE mm = *(TYPE *)(m + i);                                     \
+        TYPE dd = MIN(MAX(aa, nn), mm);                                 \
+        *(TYPE *)(d + i) = dd;                                          \
+    }                                                                   \
+    clear_tail(d, opr_sz, simd_maxsz(desc));                            \
+}
+
+DO_CLAMP(gvec_sclamp_b, int8_t)
+DO_CLAMP(gvec_sclamp_h, int16_t)
+DO_CLAMP(gvec_sclamp_s, int32_t)
+DO_CLAMP(gvec_sclamp_d, int64_t)
+
+DO_CLAMP(gvec_uclamp_b, uint8_t)
+DO_CLAMP(gvec_uclamp_h, uint16_t)
+DO_CLAMP(gvec_uclamp_s, uint32_t)
+DO_CLAMP(gvec_uclamp_d, uint64_t)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We can handle both exception entry and exception return by
hooking into aarch64_sve_change_el.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-32-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
         return;
     }
 
+    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
+    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
+
+    /*
+     * Both AArch64.TakeException and AArch64.ExceptionReturn
+     * invoke ResetSVEState when taking an exception from, or
+     * returning to, AArch32 state when PSTATE.SM is enabled.
+     */
+    if (old_a64 != new_a64 && FIELD_EX64(env->svcr, SVCR, SM)) {
+        arm_reset_sve_state(env);
+        return;
+    }
+
     /*
      * DDI0584A.d sec 3.2: "If SVE instructions are disabled or trapped
      * at ELx, or not available because the EL is in AArch32 state, then
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
      * we already have the correct register contents when encountering the
      * vq0->vq0 transition between EL0->EL1.
      */
-    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
     old_len = (old_a64 && !sve_exception_el(env, old_el)
                ? sve_vqm1_for_el(env, old_el) : 0);
-    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
     new_len = (new_a64 && !sve_exception_el(env, new_el)
                ? sve_vqm1_for_el(env, new_el) : 0);
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Note that SME remains effectively disabled for user-only,
because we do not yet set CPACR_EL1.SMEN.  This needs to
wait until the kernel ABI is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-33-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst |  4 ++++
 target/arm/cpu64.c            | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
 - FEAT_SHA512 (Advanced SIMD SHA512 instructions)
 - FEAT_SM3 (Advanced SIMD SM3 instructions)
 - FEAT_SM4 (Advanced SIMD SM4 instructions)
+- FEAT_SME (Scalable Matrix Extension)
+- FEAT_SME_FA64 (Full A64 instruction set in Streaming SVE mode)
+- FEAT_SME_F64F64 (Double-precision floating-point outer product instructions)
+- FEAT_SME_I16I64 (16-bit to 64-bit integer widening outer product instructions)
 - FEAT_SPECRES (Speculation restriction instructions)
 - FEAT_SSBS (Speculative Store Bypass Safe)
 - FEAT_TLBIOS (TLB invalidate instructions in Outer Shareable domain)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
      */
     t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
     t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 0);  /* FEAT_RASv1p1 + FEAT_DoubleFault */
+    t = FIELD_DP64(t, ID_AA64PFR1, SME, 1);       /* FEAT_SME */
     t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
     cpu->isar.id_aa64pfr1 = t;
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
     cpu->isar.id_aa64dfr0 = t;
 
+    t = cpu->isar.id_aa64smfr0;
+    t = FIELD_DP64(t, ID_AA64SMFR0, F32F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, B16F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, F16F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, I8I32, 0xf);  /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, F64F64, 1);   /* FEAT_SME_F64F64 */
+    t = FIELD_DP64(t, ID_AA64SMFR0, I16I64, 0xf); /* FEAT_SME_I16I64 */
+    t = FIELD_DP64(t, ID_AA64SMFR0, FA64, 1);     /* FEAT_SME_FA64 */
+    cpu->isar.id_aa64smfr0 = t;
+
     /* Replicate the same data to the 32-bit id registers.  */
     aa32_max_features(cpu);
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-34-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_cpu.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/target_cpu.h b/linux-user/aarch64/target_cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_cpu.h
+++ b/linux-user/aarch64/target_cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void cpu_clone_regs_parent(CPUARMState *env, unsigned flags)
 
 static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
 {
-    /* Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
+    /*
+     * Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
      * different from AArch32 Linux, which uses TPIDRRO.
      */
     env->cp15.tpidr_el[0] = newtls;
+    /* TPIDR2_EL0 is cleared with CLONE_SETTLS. */
+    env->cp15.tpidr2_el0 = 0;
 }
 
 static inline abi_ulong get_sp_from_cpustate(CPUARMState *state)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-35-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/cpu_loop.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/cpu_loop.c
+++ b/linux-user/aarch64/cpu_loop.c
@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
 
         switch (trapnr) {
         case EXCP_SWI:
+            /*
+             * On syscall, PSTATE.ZA is preserved, along with the ZA matrix.
+             * PSTATE.SM is cleared, per SMSTOP, which does ResetSVEState.
+             */
+            if (FIELD_EX64(env->svcr, SVCR, SM)) {
+                env->svcr = FIELD_DP64(env->svcr, SVCR, SM, 0);
+                arm_rebuild_hflags(env);
+                arm_reset_sve_state(env);
+            }
             ret = do_syscall(env,
                              env->xregs[8],
                              env->xregs[0],
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Make sure to zero the currently reserved fields.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-36-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_extra_context {
 struct target_sve_context {
     struct target_aarch64_ctx head;
     uint16_t vl;
-    uint16_t reserved[3];
+    uint16_t flags;
+    uint16_t reserved[2];
     /* The actual SVE data immediately follows.  It is laid out
      * according to TARGET_SVE_SIG_{Z,P}REG_OFFSET, based off of
      * the original struct pointer.
@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
 #define TARGET_SVE_SIG_CONTEXT_SIZE(VQ) \
     (TARGET_SVE_SIG_PREG_OFFSET(VQ, 17))
 
+#define TARGET_SVE_SIG_FLAG_SM  1
+
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
 {
     int i, j;
 
+    memset(sve, 0, sizeof(*sve));
     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
     __put_user(size, &sve->head.size);
     __put_user(vq * TARGET_SVE_VQ_BYTES, &sve->vl);
+    if (FIELD_EX64(env->svcr, SVCR, SM)) {
+        __put_user(TARGET_SVE_SIG_FLAG_SM, &sve->flags);
+    }
 
     /* Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian store
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Fold the return value setting into the goto, so each
point of failure need not do both.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-37-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     struct target_sve_context *sve = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
-    bool err = false;
     int vq = 0, sve_size = 0;
 
     target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
         switch (magic) {
         case 0:
             if (size != 0) {
-                err = true;
-                goto exit;
+                goto err;
             }
             if (used_extra) {
                 ctx = NULL;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
 
         case TARGET_FPSIMD_MAGIC:
             if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
-                err = true;
-                goto exit;
+                goto err;
             }
             fpsimd = (struct target_fpsimd_context *)ctx;
             break;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
                     break;
                 }
             }
-            err = true;
-            goto exit;
+            goto err;
 
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
-                err = true;
-                goto exit;
+                goto err;
             }
             __get_user(extra_datap,
                        &((struct target_extra_context *)ctx)->datap);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             /* Unknown record -- we certainly didn't generate it.
              * Did we in fact get out of sync?
              */
-            err = true;
-            goto exit;
+            goto err;
         }
         ctx = (void *)ctx + size;
     }
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     if (fpsimd) {
         target_restore_fpsimd_record(env, fpsimd);
     } else {
-        err = true;
+        goto err;
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
     if (sve) {
         target_restore_sve_record(env, sve, vq);
     }
-
- exit:
     unlock_user(extra, extra_datap, 0);
-    return err;
+    return 0;
+
+ err:
+    unlock_user(extra, extra_datap, 0);
+    return 1;
 }
 
 static abi_ulong get_sigframe(struct target_sigaction *ka,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In parse_user_sigframe, the kernel rejects duplicate sve records,
or records that are smaller than the header.  We were silently
allowing these cases to pass, dropping the record.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-38-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             break;
 
         case TARGET_SVE_MAGIC:
+            if (sve || size < sizeof(struct target_sve_context)) {
+                goto err;
+            }
             if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
                 vq = sve_vq(env);
                 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
-                if (!sve && size == sve_size) {
+                if (size == sve_size) {
                     sve = (struct target_sve_context *)ctx;
                     break;
                 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Move the checks out of the parsing loop and into the
restore function.  This more closely mirrors the code
structure in the kernel, and is slightly clearer.

Reject rather than silently skip incorrect VL and SVE record sizes,
bringing our checks in to line with those the kernel does.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-40-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 51 +++++++++++++++++++++++++------------
 1 file changed, 35 insertions(+), 16 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
     }
 }
 
-static void target_restore_sve_record(CPUARMState *env,
-                                      struct target_sve_context *sve, int vq)
+static bool target_restore_sve_record(CPUARMState *env,
+                                      struct target_sve_context *sve,
+                                      int size)
 {
-    int i, j;
+    int i, j, vl, vq;
 
-    /* Note that SVE regs are stored as a byte stream, with each byte element
+    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
+        return false;
+    }
+
+    __get_user(vl, &sve->vl);
+    vq = sve_vq(env);
+
+    /* Reject mismatched VL. */
+    if (vl != vq * TARGET_SVE_VQ_BYTES) {
+        return false;
+    }
+
+    /* Accept empty record -- used to clear PSTATE.SM. */
+    if (size <= sizeof(*sve)) {
+        return true;
+    }
+
+    /* Reject non-empty but incomplete record. */
+    if (size < TARGET_SVE_SIG_CONTEXT_SIZE(vq)) {
+        return false;
+    }
+
+    /*
+     * Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian load
      * of our 64-bit hunks.
      */
@@ -XXX,XX +XXX,XX @@ static void target_restore_sve_record(CPUARMState *env,
             }
         }
     }
+    return true;
 }
 
 static int target_restore_sigframe(CPUARMState *env,
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     struct target_sve_context *sve = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
-    int vq = 0, sve_size = 0;
+    int sve_size = 0;
 
     target_restore_general_frame(env, sf);
 
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             if (sve || size < sizeof(struct target_sve_context)) {
                 goto err;
             }
-            if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-                vq = sve_vq(env);
-                sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
-                if (size == sve_size) {
-                    sve = (struct target_sve_context *)ctx;
-                    break;
-                }
-            }
-            goto err;
+            sve = (struct target_sve_context *)ctx;
+            sve_size = size;
+            break;
 
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
-    if (sve) {
-        target_restore_sve_record(env, sve, vq);
+    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
+        goto err;
     }
     unlock_user(extra, extra_datap, 0);
     return 0;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Set the SM bit in the SVE record on signal delivery, create the ZA record.
Restore SM and ZA state according to the records present on return.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-41-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 167 +++++++++++++++++++++++++++++++++---
 1 file changed, 154 insertions(+), 13 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
 
 #define TARGET_SVE_SIG_FLAG_SM  1
 
+#define TARGET_ZA_MAGIC        0x54366345
+
+struct target_za_context {
+    struct target_aarch64_ctx head;
+    uint16_t vl;
+    uint16_t reserved[3];
+    /* The actual ZA data immediately follows. */
+};
+
+#define TARGET_ZA_SIG_REGS_OFFSET \
+    QEMU_ALIGN_UP(sizeof(struct target_za_context), TARGET_SVE_VQ_BYTES)
+#define TARGET_ZA_SIG_ZAV_OFFSET(VQ, N) \
+    (TARGET_ZA_SIG_REGS_OFFSET + (VQ) * TARGET_SVE_VQ_BYTES * (N))
+#define TARGET_ZA_SIG_CONTEXT_SIZE(VQ) \
+    TARGET_ZA_SIG_ZAV_OFFSET(VQ, VQ * TARGET_SVE_VQ_BYTES)
+
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_end_record(struct target_aarch64_ctx *end)
 }
 
 static void target_setup_sve_record(struct target_sve_context *sve,
-                                    CPUARMState *env, int vq, int size)
+                                    CPUARMState *env, int size)
 {
-    int i, j;
+    int i, j, vq = sve_vq(env);
 
     memset(sve, 0, sizeof(*sve));
     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
     }
 }
 
+static void target_setup_za_record(struct target_za_context *za,
+                                   CPUARMState *env, int size)
+{
+    int vq = sme_vq(env);
+    int vl = vq * TARGET_SVE_VQ_BYTES;
+    int i, j;
+
+    memset(za, 0, sizeof(*za));
+    __put_user(TARGET_ZA_MAGIC, &za->head.magic);
+    __put_user(size, &za->head.size);
+    __put_user(vl, &za->vl);
+
+    if (size == TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
+        return;
+    }
+    assert(size == TARGET_ZA_SIG_CONTEXT_SIZE(vq));
+
+    /*
+     * Note that ZA vectors are stored as a byte stream,
+     * with each byte element at a subsequent address.
+     */
+    for (i = 0; i < vl; ++i) {
+        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
+        for (j = 0; j < vq * 2; ++j) {
+            __put_user_e(env->zarray[i].d[j], z + j, le);
+        }
+    }
+}
+
 static void target_restore_general_frame(CPUARMState *env,
                                          struct target_rt_sigframe *sf)
 {
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
 
 static bool target_restore_sve_record(CPUARMState *env,
                                       struct target_sve_context *sve,
-                                      int size)
+                                      int size, int *svcr)
 {
-    int i, j, vl, vq;
+    int i, j, vl, vq, flags;
+    bool sm;
 
-    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
+    __get_user(vl, &sve->vl);
+    __get_user(flags, &sve->flags);
+
+    sm = flags & TARGET_SVE_SIG_FLAG_SM;
+
+    /* The cpu must support Streaming or Non-streaming SVE. */
+    if (sm
+        ? !cpu_isar_feature(aa64_sme, env_archcpu(env))
+        : !cpu_isar_feature(aa64_sve, env_archcpu(env))) {
         return false;
     }
 
-    __get_user(vl, &sve->vl);
-    vq = sve_vq(env);
+    /*
+     * Note that we cannot use sve_vq() because that depends on the
+     * current setting of PSTATE.SM, not the state to be restored.
+     */
+    vq = sve_vqm1_for_el_sm(env, 0, sm) + 1;
 
     /* Reject mismatched VL. */
     if (vl != vq * TARGET_SVE_VQ_BYTES) {
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
         return false;
     }
 
+    *svcr = FIELD_DP64(*svcr, SVCR, SM, sm);
+
     /*
      * Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian load
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
     return true;
 }
 
+static bool target_restore_za_record(CPUARMState *env,
+                                     struct target_za_context *za,
+                                     int size, int *svcr)
+{
+    int i, j, vl, vq;
+
+    if (!cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        return false;
+    }
+
+    __get_user(vl, &za->vl);
+    vq = sme_vq(env);
+
+    /* Reject mismatched VL. */
+    if (vl != vq * TARGET_SVE_VQ_BYTES) {
+        return false;
+    }
+
+    /* Accept empty record -- used to clear PSTATE.ZA. */
+    if (size <= TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
+        return true;
+    }
+
+    /* Reject non-empty but incomplete record. */
+    if (size < TARGET_ZA_SIG_CONTEXT_SIZE(vq)) {
+        return false;
+    }
+
+    *svcr = FIELD_DP64(*svcr, SVCR, ZA, 1);
+
+    for (i = 0; i < vl; ++i) {
+        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
+        for (j = 0; j < vq * 2; ++j) {
+            __get_user_e(env->zarray[i].d[j], z + j, le);
+        }
+    }
+    return true;
+}
+
 static int target_restore_sigframe(CPUARMState *env,
                                    struct target_rt_sigframe *sf)
 {
     struct target_aarch64_ctx *ctx, *extra = NULL;
     struct target_fpsimd_context *fpsimd = NULL;
     struct target_sve_context *sve = NULL;
+    struct target_za_context *za = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
     int sve_size = 0;
+    int za_size = 0;
+    int svcr = 0;
 
     target_restore_general_frame(env, sf);
 
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             sve_size = size;
             break;
 
+        case TARGET_ZA_MAGIC:
+            if (za || size < sizeof(struct target_za_context)) {
+                goto err;
+            }
+            za = (struct target_za_context *)ctx;
+            za_size = size;
+            break;
+
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
                 goto err;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
-    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
+    if (sve && !target_restore_sve_record(env, sve, sve_size, &svcr)) {
         goto err;
     }
+    if (za && !target_restore_za_record(env, za, za_size, &svcr)) {
+        goto err;
+    }
+    if (env->svcr != svcr) {
+        env->svcr = svcr;
+        arm_rebuild_hflags(env);
+    }
     unlock_user(extra, extra_datap, 0);
     return 0;
 
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         .total_size = offsetof(struct target_rt_sigframe,
                                uc.tuc_mcontext.__reserved),
     };
-    int fpsimd_ofs, fr_ofs, sve_ofs = 0, vq = 0, sve_size = 0;
+    int fpsimd_ofs, fr_ofs, sve_ofs = 0, za_ofs = 0;
+    int sve_size = 0, za_size = 0;
     struct target_rt_sigframe *frame;
     struct target_rt_frame_record *fr;
     abi_ulong frame_addr, return_addr;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                       &layout);
 
     /* SVE state needs saving only if it exists.  */
-    if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-        vq = sve_vq(env);
-        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
+    if (cpu_isar_feature(aa64_sve, env_archcpu(env)) ||
+        cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(sve_vq(env)), 16);
         sve_ofs = alloc_sigframe_space(sve_size, &layout);
     }
+    if (cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        /* ZA state needs saving only if it is enabled.  */
+        if (FIELD_EX64(env->svcr, SVCR, ZA)) {
+            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(sme_vq(env));
+        } else {
+            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(0);
+        }
+        za_ofs = alloc_sigframe_space(za_size, &layout);
+    }
 
     if (layout.extra_ofs) {
         /* Reserve space for the extra end marker.  The standard end marker
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         target_setup_end_record((void *)frame + layout.extra_end_ofs);
     }
     if (sve_ofs) {
-        target_setup_sve_record((void *)frame + sve_ofs, env, vq, sve_size);
+        target_setup_sve_record((void *)frame + sve_ofs, env, sve_size);
+    }
+    if (za_ofs) {
+        target_setup_za_record((void *)frame + za_ofs, env, za_size);
     }
 
     /* Set up the stack frame for unwinding.  */
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         env->btype = 2;
     }
 
+    /*
+     * Invoke the signal handler with both SM and ZA disabled.
+     * When clearing SM, ResetSVEState, per SMSTOP.
+     */
+    if (FIELD_EX64(env->svcr, SVCR, SM)) {
+        arm_reset_sve_state(env);
+    }
+    if (env->svcr) {
+        env->svcr = 0;
+        arm_rebuild_hflags(env);
+    }
+
     if (info) {
         tswap_siginfo(&frame->info, info);
         env->xregs[1] = frame_addr + offsetof(struct target_rt_sigframe, info);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add "sve" to the sve prctl functions, to distinguish
them from the coming "sme" prctls with similar names.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-42-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_prctl.h |  8 ++++----
 linux-user/syscall.c              | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_prctl.h
+++ b/linux-user/aarch64/target_prctl.h
@@ -XXX,XX +XXX,XX @@
 #ifndef AARCH64_TARGET_PRCTL_H
 #define AARCH64_TARGET_PRCTL_H
 
-static abi_long do_prctl_get_vl(CPUArchState *env)
+static abi_long do_prctl_sve_get_vl(CPUArchState *env)
 {
     ARMCPU *cpu = env_archcpu(env);
     if (cpu_isar_feature(aa64_sve, cpu)) {
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_get_vl(CPUArchState *env)
     }
     return -TARGET_EINVAL;
 }
-#define do_prctl_get_vl do_prctl_get_vl
+#define do_prctl_sve_get_vl do_prctl_sve_get_vl
 
-static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
+static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
 {
     /*
      * We cannot support either PR_SVE_SET_VL_ONEXEC or PR_SVE_VL_INHERIT.
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
     }
     return -TARGET_EINVAL;
 }
-#define do_prctl_set_vl do_prctl_set_vl
+#define do_prctl_sve_set_vl do_prctl_sve_set_vl
 
 static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
 {
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
 #ifndef do_prctl_set_fp_mode
 #define do_prctl_set_fp_mode do_prctl_inval1
 #endif
-#ifndef do_prctl_get_vl
-#define do_prctl_get_vl do_prctl_inval0
+#ifndef do_prctl_sve_get_vl
+#define do_prctl_sve_get_vl do_prctl_inval0
 #endif
-#ifndef do_prctl_set_vl
-#define do_prctl_set_vl do_prctl_inval1
+#ifndef do_prctl_sve_set_vl
+#define do_prctl_sve_set_vl do_prctl_inval1
 #endif
 #ifndef do_prctl_reset_keys
 #define do_prctl_reset_keys do_prctl_inval1
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
     case PR_SET_FP_MODE:
         return do_prctl_set_fp_mode(env, arg2);
     case PR_SVE_GET_VL:
-        return do_prctl_get_vl(env);
+        return do_prctl_sve_get_vl(env);
     case PR_SVE_SET_VL:
-        return do_prctl_set_vl(env, arg2);
+        return do_prctl_sve_set_vl(env, arg2);
     case PR_PAC_RESET_KEYS:
         if (arg3 || arg4 || arg5) {
             return -TARGET_EINVAL;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

These prctl set the Streaming SVE vector length, which may
be completely different from the Normal SVE vector length.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-43-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_prctl.h | 54 +++++++++++++++++++++++++++++++
 linux-user/syscall.c              | 16 +++++++++
 2 files changed, 70 insertions(+)

diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_prctl.h
+++ b/linux-user/aarch64/target_prctl.h
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_get_vl(CPUArchState *env)
 {
     ARMCPU *cpu = env_archcpu(env);
     if (cpu_isar_feature(aa64_sve, cpu)) {
+        /* PSTATE.SM is always unset on syscall entry. */
         return sve_vq(env) * 16;
     }
     return -TARGET_EINVAL;
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
         && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
         uint32_t vq, old_vq;
 
+        /* PSTATE.SM is always unset on syscall entry. */
         old_vq = sve_vq(env);
 
         /*
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
 }
 #define do_prctl_sve_set_vl do_prctl_sve_set_vl
 
+static abi_long do_prctl_sme_get_vl(CPUArchState *env)
+{
+    ARMCPU *cpu = env_archcpu(env);
+    if (cpu_isar_feature(aa64_sme, cpu)) {
+        return sme_vq(env) * 16;
+    }
+    return -TARGET_EINVAL;
+}
+#define do_prctl_sme_get_vl do_prctl_sme_get_vl
+
+static abi_long do_prctl_sme_set_vl(CPUArchState *env, abi_long arg2)
+{
+    /*
+     * We cannot support either PR_SME_SET_VL_ONEXEC or PR_SME_VL_INHERIT.
+     * Note the kernel definition of sve_vl_valid allows for VQ=512,
+     * i.e. VL=8192, even though the architectural maximum is VQ=16.
+     */
+    if (cpu_isar_feature(aa64_sme, env_archcpu(env))
+        && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
+        int vq, old_vq;
+
+        old_vq = sme_vq(env);
+
+        /*
+         * Bound the value of vq, so that we know that it fits into
+         * the 4-bit field in SMCR_EL1.  Because PSTATE.SM is cleared
+         * on syscall entry, we are not modifying the current SVE
+         * vector length.
+         */
+        vq = MAX(arg2 / 16, 1);
+        vq = MIN(vq, 16);
+        env->vfp.smcr_el[1] =
+            FIELD_DP64(env->vfp.smcr_el[1], SMCR, LEN, vq - 1);
+
+        /* Delay rebuilding hflags until we know if ZA must change. */
+        vq = sve_vqm1_for_el_sm(env, 0, true) + 1;
+
+        if (vq != old_vq) {
+            /*
+             * PSTATE.ZA state is cleared on any change to SVL.
+             * We need not call arm_rebuild_hflags because PSTATE.SM was
+             * cleared on syscall entry, so this hasn't changed VL.
+             */
+            env->svcr = FIELD_DP64(env->svcr, SVCR, ZA, 0);
+            arm_rebuild_hflags(env);
+        }
+        return vq * 16;
+    }
+    return -TARGET_EINVAL;
+}
+#define do_prctl_sme_set_vl do_prctl_sme_set_vl
+
 static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
 {
     ARMCPU *cpu = env_archcpu(env);
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr)
 #ifndef PR_SET_SYSCALL_USER_DISPATCH
 # define PR_SET_SYSCALL_USER_DISPATCH 59
 #endif
+#ifndef PR_SME_SET_VL
+# define PR_SME_SET_VL  63
+# define PR_SME_GET_VL  64
+# define PR_SME_VL_LEN_MASK  0xffff
+# define PR_SME_VL_INHERIT   (1 << 17)
+#endif
 
 #include "target_prctl.h"
 
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
 #ifndef do_prctl_set_unalign
 #define do_prctl_set_unalign do_prctl_inval1
 #endif
+#ifndef do_prctl_sme_get_vl
+#define do_prctl_sme_get_vl do_prctl_inval0
+#endif
+#ifndef do_prctl_sme_set_vl
+#define do_prctl_sme_set_vl do_prctl_inval1
+#endif
 
 static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
                          abi_long arg3, abi_long arg4, abi_long arg5)
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
         return do_prctl_sve_get_vl(env);
     case PR_SVE_SET_VL:
         return do_prctl_sve_set_vl(env, arg2);
+    case PR_SME_GET_VL:
+        return do_prctl_sme_get_vl(env);
+    case PR_SME_SET_VL:
+        return do_prctl_sme_set_vl(env, arg2);
     case PR_PAC_RESET_KEYS:
         if (arg3 || arg4 || arg5) {
             return -TARGET_EINVAL;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

There's no reason to set CPACR_EL1.ZEN if SVE disabled.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-44-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
         /* and to the FP/Neon instructions */
         env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
                                          CPACR_EL1, FPEN, 3);
-        /* and to the SVE instructions */
-        env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
-                                         CPACR_EL1, ZEN, 3);
-        /* with reasonable vector length */
+        /* and to the SVE instructions, with default vector length */
         if (cpu_isar_feature(aa64_sve, cpu)) {
+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+                                             CPACR_EL1, ZEN, 3);
             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
         }
         /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Enable SME, TPIDR2_EL0, and FA64 if supported by the cpu.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-45-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
                                              CPACR_EL1, ZEN, 3);
             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
         }
+        /* and for SME instructions, with default vector length, and TPIDR2 */
+        if (cpu_isar_feature(aa64_sme, cpu)) {
+            env->cp15.sctlr_el[1] |= SCTLR_EnTP2;
+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+                                             CPACR_EL1, SMEN, 3);
+            env->vfp.smcr_el[1] = cpu->sme_default_vq - 1;
+            if (cpu_isar_feature(aa64_sme_fa64, cpu)) {
+                env->vfp.smcr_el[1] = FIELD_DP64(env->vfp.smcr_el[1],
+                                                 SMCR, FA64, 1);
+            }
+        }
         /*
          * Enable 48-bit address space (TODO: take reserved_va into account).
          * Enable TBI0 but not TBI1.
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-46-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/elfload.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ enum {
     ARM_HWCAP2_A64_RNG          = 1 << 16,
     ARM_HWCAP2_A64_BTI          = 1 << 17,
     ARM_HWCAP2_A64_MTE          = 1 << 18,
+    ARM_HWCAP2_A64_ECV          = 1 << 19,
+    ARM_HWCAP2_A64_AFP          = 1 << 20,
+    ARM_HWCAP2_A64_RPRES        = 1 << 21,
+    ARM_HWCAP2_A64_MTE3         = 1 << 22,
+    ARM_HWCAP2_A64_SME          = 1 << 23,
+    ARM_HWCAP2_A64_SME_I16I64   = 1 << 24,
+    ARM_HWCAP2_A64_SME_F64F64   = 1 << 25,
+    ARM_HWCAP2_A64_SME_I8I32    = 1 << 26,
+    ARM_HWCAP2_A64_SME_F16F32   = 1 << 27,
+    ARM_HWCAP2_A64_SME_B16F32   = 1 << 28,
+    ARM_HWCAP2_A64_SME_F32F32   = 1 << 29,
+    ARM_HWCAP2_A64_SME_FA64     = 1 << 30,
 };
 
 #define ELF_HWCAP   get_elf_hwcap()
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap2(void)
     GET_FEATURE_ID(aa64_rndr, ARM_HWCAP2_A64_RNG);
     GET_FEATURE_ID(aa64_bti, ARM_HWCAP2_A64_BTI);
     GET_FEATURE_ID(aa64_mte, ARM_HWCAP2_A64_MTE);
+    GET_FEATURE_ID(aa64_sme, (ARM_HWCAP2_A64_SME |
+                              ARM_HWCAP2_A64_SME_F32F32 |
+                              ARM_HWCAP2_A64_SME_B16F32 |
+                              ARM_HWCAP2_A64_SME_F16F32 |
+                              ARM_HWCAP2_A64_SME_I8I32));
+    GET_FEATURE_ID(aa64_sme_f64f64, ARM_HWCAP2_A64_SME_F64F64);
+    GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
+    GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
 
     return hwcaps;
 }
-- 
2.25.1

Hi; this is the latest target-arm queue; most of this is a refactoring
patchset from RTH for the arm page-table-walk emulation.

thanks
-- PMM

The following changes since commit f1d33f55c47dfdaf8daacd618588ad3ae4c452d1:

Merge tag 'pull-testing-gdbstub-plugins-gitdm-061022-3' of https://github.com/stsquad/qemu into staging (2022-10-06 07:11:56 -0400)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221010

for you to fetch changes up to 915f62844cf62e428c7c178149b5ff1cbe129b07:

docs/system/arm/emulation.rst: Report FEAT_GTG support (2022-10-10 14:52:25 +0100)

----------------------------------------------------------------
target-arm queue:
 * Retry KVM_CREATE_VM call if it fails EINTR
 * allow setting SCR_EL3.EnTP2 when FEAT_SME is implemented
 * docs/nuvoton: Update URL for images
 * refactoring of page table walk code
 * hw/arm/boot: set CPTR_EL3.ESM and SCR_EL3.EnTP2 when booting Linux with EL3
 * Don't allow guest to use unimplemented granule sizes
 * Report FEAT_GTG support

----------------------------------------------------------------
Jerome Forissier (2):
      target/arm: allow setting SCR_EL3.EnTP2 when FEAT_SME is implemented
      hw/arm/boot: set CPTR_EL3.ESM and SCR_EL3.EnTP2 when booting Linux with EL3

Joel Stanley (1):
      docs/nuvoton: Update URL for images

Peter Maydell (4):
      target/arm/kvm: Retry KVM_CREATE_VM call if it fails EINTR
      target/arm: Don't allow guest to use unimplemented granule sizes
      target/arm: Use ARMGranuleSize in ARMVAParameters
      docs/system/arm/emulation.rst: Report FEAT_GTG support

Richard Henderson (21):
      target/arm: Split s2walk_secure from ipa_secure in get_phys_addr
      target/arm: Make the final stage1+2 write to secure be unconditional
      target/arm: Add is_secure parameter to get_phys_addr_lpae
      target/arm: Fix S2 disabled check in S1_ptw_translate
      target/arm: Add is_secure parameter to regime_translation_disabled
      target/arm: Split out get_phys_addr_with_secure
      target/arm: Add is_secure parameter to v7m_read_half_insn
      target/arm: Add TBFLAG_M32.SECURE
      target/arm: Merge regime_is_secure into get_phys_addr
      target/arm: Add is_secure parameter to do_ats_write
      target/arm: Fold secure and non-secure a-profile mmu indexes
      target/arm: Reorg regime_translation_disabled
      target/arm: Drop secure check for HCR.TGE vs SCTLR_EL1.M
      target/arm: Introduce arm_hcr_el2_eff_secstate
      target/arm: Hoist read of *is_secure in S1_ptw_translate
      target/arm: Remove env argument from combined_attrs_fwb
      target/arm: Pass HCR to attribute subroutines.
      target/arm: Fix ATS12NSO* from S PL1
      target/arm: Split out get_phys_addr_disabled
      target/arm: Fix cacheattr in get_phys_addr_disabled
      target/arm: Use tlb_set_page_full

Occasionally the KVM_CREATE_VM ioctl can return EINTR, even though
there is no pending signal to be taken. In commit 94ccff13382055
we added a retry-on-EINTR loop to the KVM_CREATE_VM call in the
generic KVM code. Adopt the same approach for the use of the
ioctl in the Arm-specific KVM code (where we use it to create a
scratch VM for probing for various things).

For more information, see the mailing list thread:
https://lore.kernel.org/qemu-devel/8735e0s1zw.wl-maz@kernel.org/

Reported-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Message-id: 20220930113824.1933293-1-peter.maydell@linaro.org
---
 target/arm/kvm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
     if (max_vm_pa_size < 0) {
         max_vm_pa_size = 0;
     }
-    vmfd = ioctl(kvmfd, KVM_CREATE_VM, max_vm_pa_size);
+    do {
+        vmfd = ioctl(kvmfd, KVM_CREATE_VM, max_vm_pa_size);
+    } while (vmfd == -1 && errno == EINTR);
     if (vmfd < 0) {
         goto err;
     }
-- 
2.25.1

From: Jerome Forissier <jerome.forissier@linaro.org>

Updates write_scr() to allow setting SCR_EL3.EnTP2 when FEAT_SME is
implemented. SCR_EL3 being a 64-bit register, valid_mask is changed
to uint64_t and the SCR_* constants in target/arm/cpu.h are extended
to 64-bit so that masking and bitwise not (~) behave as expected.

This enables booting Linux with Trusted Firmware-A at EL3 with
"-M virt,secure=on -cpu max".

Cc: qemu-stable@nongnu.org
Fixes: 78cb9776662a ("target/arm: Enable SME for -cpu max")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221004072354.27037-1-jerome.forissier@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    | 54 ++++++++++++++++++++++-----------------------
 target/arm/helper.c |  5 ++++-
 2 files changed, 31 insertions(+), 28 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
 
 #define HPFAR_NS      (1ULL << 63)
 
-#define SCR_NS                (1U << 0)
-#define SCR_IRQ               (1U << 1)
-#define SCR_FIQ               (1U << 2)
-#define SCR_EA                (1U << 3)
-#define SCR_FW                (1U << 4)
-#define SCR_AW                (1U << 5)
-#define SCR_NET               (1U << 6)
-#define SCR_SMD               (1U << 7)
-#define SCR_HCE               (1U << 8)
-#define SCR_SIF               (1U << 9)
-#define SCR_RW                (1U << 10)
-#define SCR_ST                (1U << 11)
-#define SCR_TWI               (1U << 12)
-#define SCR_TWE               (1U << 13)
-#define SCR_TLOR              (1U << 14)
-#define SCR_TERR              (1U << 15)
-#define SCR_APK               (1U << 16)
-#define SCR_API               (1U << 17)
-#define SCR_EEL2              (1U << 18)
-#define SCR_EASE              (1U << 19)
-#define SCR_NMEA              (1U << 20)
-#define SCR_FIEN              (1U << 21)
-#define SCR_ENSCXT            (1U << 25)
-#define SCR_ATA               (1U << 26)
-#define SCR_FGTEN             (1U << 27)
-#define SCR_ECVEN             (1U << 28)
-#define SCR_TWEDEN            (1U << 29)
+#define SCR_NS                (1ULL << 0)
+#define SCR_IRQ               (1ULL << 1)
+#define SCR_FIQ               (1ULL << 2)
+#define SCR_EA                (1ULL << 3)
+#define SCR_FW                (1ULL << 4)
+#define SCR_AW                (1ULL << 5)
+#define SCR_NET               (1ULL << 6)
+#define SCR_SMD               (1ULL << 7)
+#define SCR_HCE               (1ULL << 8)
+#define SCR_SIF               (1ULL << 9)
+#define SCR_RW                (1ULL << 10)
+#define SCR_ST                (1ULL << 11)
+#define SCR_TWI               (1ULL << 12)
+#define SCR_TWE               (1ULL << 13)
+#define SCR_TLOR              (1ULL << 14)
+#define SCR_TERR              (1ULL << 15)
+#define SCR_APK               (1ULL << 16)
+#define SCR_API               (1ULL << 17)
+#define SCR_EEL2              (1ULL << 18)
+#define SCR_EASE              (1ULL << 19)
+#define SCR_NMEA              (1ULL << 20)
+#define SCR_FIEN              (1ULL << 21)
+#define SCR_ENSCXT            (1ULL << 25)
+#define SCR_ATA               (1ULL << 26)
+#define SCR_FGTEN             (1ULL << 27)
+#define SCR_ECVEN             (1ULL << 28)
+#define SCR_TWEDEN            (1ULL << 29)
 #define SCR_TWEDEL            MAKE_64BIT_MASK(30, 4)
 #define SCR_TME               (1ULL << 34)
 #define SCR_AMVOFFEN          (1ULL << 35)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
 static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
 {
     /* Begin with base v8.0 state.  */
-    uint32_t valid_mask = 0x3fff;
+    uint64_t valid_mask = 0x3fff;
     ARMCPU *cpu = env_archcpu(env);
 
     /*
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         if (cpu_isar_feature(aa64_doublefault, cpu)) {
             valid_mask |= SCR_EASE | SCR_NMEA;
         }
+        if (cpu_isar_feature(aa64_sme, cpu)) {
+            valid_mask |= SCR_ENTP2;
+        }
     } else {
         valid_mask &= ~(SCR_RW | SCR_ST);
         if (cpu_isar_feature(aa32_ras, cpu)) {
-- 
2.25.1

From: Joel Stanley <joel@jms.id.au>

openpower.xyz was retired some time ago. The OpenBMC Jenkins is where
images can be found these days.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Hao Wu <wuhaotsh@google.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20221004050042.22681-1-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/nuvoton.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/system/arm/nuvoton.rst b/docs/system/arm/nuvoton.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/nuvoton.rst
+++ b/docs/system/arm/nuvoton.rst
@@ -XXX,XX +XXX,XX @@ Boot options
 
 The Nuvoton machines can boot from an OpenBMC firmware image, or directly into
 a kernel using the ``-kernel`` option. OpenBMC images for ``quanta-gsj`` and
-possibly others can be downloaded from the OpenPOWER jenkins :
+possibly others can be downloaded from the OpenBMC jenkins :
 
-   https://openpower.xyz/
+   https://jenkins.openbmc.org/
 
 The firmware image should be attached as an MTD drive. Example :
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The starting security state comes with the translation regime,
not the current state of arm_is_secure_below_el3().

Create a new local variable, s2walk_secure, which does not need
to be written back to result->attrs.secure -- we compute that
value later, after the S2 walk is complete.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221001162318.153420-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
             hwaddr ipa;
             int s1_prot;
             int ret;
-            bool ipa_secure;
+            bool ipa_secure, s2walk_secure;
             ARMCacheAttrs cacheattrs1;
             ARMMMUIdx s2_mmu_idx;
             bool is_el0;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
 
             ipa = result->phys;
             ipa_secure = result->attrs.secure;
-            if (arm_is_secure_below_el3(env)) {
-                if (ipa_secure) {
-                    result->attrs.secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
-                } else {
-                    result->attrs.secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
-                }
+            if (is_secure) {
+                /* Select TCR based on the NS bit from the S1 walk. */
+                s2walk_secure = !(ipa_secure
+                                  ? env->cp15.vstcr_el2 & VSTCR_SW
+                                  : env->cp15.vtcr_el2 & VTCR_NSW);
             } else {
                 assert(!ipa_secure);
+                s2walk_secure = false;
             }
 
-            s2_mmu_idx = (result->attrs.secure
+            s2_mmu_idx = (s2walk_secure
                           ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2);
             is_el0 = mmu_idx == ARMMMUIdx_E10_0 || mmu_idx == ARMMMUIdx_SE10_0;
 
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
                                                     result->cacheattrs);
 
             /* Check if IPA translates to secure or non-secure PA space. */
-            if (arm_is_secure_below_el3(env)) {
+            if (is_secure) {
                 if (ipa_secure) {
                     result->attrs.secure =
                         !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW));
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

While the stage2 call to get_phys_addr_lpae should never set
attrs.secure when given a non-secure input, it's just as easy
to make the final update to attrs.secure be unconditional and
false in the case of non-secure input.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221007152159.1414065-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
             result->cacheattrs = combine_cacheattrs(env, cacheattrs1,
                                                     result->cacheattrs);
 
-            /* Check if IPA translates to secure or non-secure PA space. */
-            if (is_secure) {
-                if (ipa_secure) {
-                    result->attrs.secure =
-                        !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW));
-                } else {
-                    result->attrs.secure =
-                        !((env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))
-                        || (env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW)));
-                }
-            }
+            /*
+             * Check if IPA translates to secure or non-secure PA space.
+             * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
+             */
+            result->attrs.secure =
+                (is_secure
+                 && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
+                 && (ipa_secure
+                     || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
+
             return 0;
         } else {
             /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Remove the use of regime_is_secure from get_phys_addr_lpae,
using the new parameter instead.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@
 
 static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                               bool s1_is_el0, GetPhysAddrResult *result,
-                               ARMMMUFaultInfo *fi)
+                               bool is_secure, bool s1_is_el0,
+                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
     __attribute__((nonnull));
 
 /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
         GetPhysAddrResult s2 = {};
         int ret;
 
-        ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx, false,
-                                 &s2, fi);
+        ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx,
+                                 *is_secure, false, &s2, fi);
         if (ret) {
             assert(fi->type != ARMFault_None);
             fi->s2addr = addr;
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
  */
 static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                               bool s1_is_el0, GetPhysAddrResult *result,
-                               ARMMMUFaultInfo *fi)
+                               bool is_secure, bool s1_is_el0,
+                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 {
     ARMCPU *cpu = env_archcpu(env);
     /* Read an LPAE long-descriptor translation table. */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
      * remain non-secure. We implement this by just ORing in the NSTable/NS
      * bits at each step.
      */
-    tableattrs = regime_is_secure(env, mmu_idx) ? 0 : (1 << 4);
+    tableattrs = is_secure ? 0 : (1 << 4);
     for (;;) {
         uint64_t descriptor;
         bool nstable;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
             memset(result, 0, sizeof(*result));
 
             ret = get_phys_addr_lpae(env, ipa, access_type, s2_mmu_idx,
-                                     is_el0, result, fi);
+                                     s2walk_secure, is_el0, result, fi);
             fi->s2addr = ipa;
 
             /* Combine the S1 and S2 perms.  */
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
     }
 
     if (regime_using_lpae_format(env, mmu_idx)) {
-        return get_phys_addr_lpae(env, address, access_type, mmu_idx, false,
-                                  result, fi);
+        return get_phys_addr_lpae(env, address, access_type, mmu_idx,
+                                  is_secure, false, result, fi);
     } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
         return get_phys_addr_v6(env, address, access_type, mmu_idx,
                                 is_secure, result, fi);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Pass the correct stage2 mmu_idx to regime_translation_disabled,
which we computed afterward.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221001162318.153420-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
                                hwaddr addr, bool *is_secure,
                                ARMMMUFaultInfo *fi)
 {
+    ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+
     if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
-        !regime_translation_disabled(env, ARMMMUIdx_Stage2)) {
-        ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S
-                                          : ARMMMUIdx_Stage2;
+        !regime_translation_disabled(env, s2_mmu_idx)) {
         GetPhysAddrResult s2 = {};
         int ret;
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Remove the use of regime_is_secure from regime_translation_disabled,
using the new parameter instead.

This fixes a bug in S1_ptw_translate and get_phys_addr where we had
passed ARMMMUIdx_Stage2 and not ARMMMUIdx_Stage2_S to determine if
Stage2 is disabled, affecting FEAT_SEL2.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn)
 }
 
 /* Return true if the specified stage of address translation is disabled */
-static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx)
+static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
+                                        bool is_secure)
 {
     uint64_t hcr_el2;
 
     if (arm_feature(env, ARM_FEATURE_M)) {
-        switch (env->v7m.mpu_ctrl[regime_is_secure(env, mmu_idx)] &
+        switch (env->v7m.mpu_ctrl[is_secure] &
                 (R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK)) {
         case R_V7M_MPU_CTRL_ENABLE_MASK:
             /* Enabled, but not for HardFault and NMI */
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx)
 
     if (hcr_el2 & HCR_TGE) {
         /* TGE means that NS EL0/1 act as if SCTLR_EL1.M is zero */
-        if (!regime_is_secure(env, mmu_idx) && regime_el(env, mmu_idx) == 1) {
+        if (!is_secure && regime_el(env, mmu_idx) == 1) {
             return true;
         }
     }
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
     ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 
     if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
-        !regime_translation_disabled(env, s2_mmu_idx)) {
+        !regime_translation_disabled(env, s2_mmu_idx, *is_secure)) {
         GetPhysAddrResult s2 = {};
         int ret;
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
     uint32_t base;
     bool is_user = regime_is_user(env, mmu_idx);
 
-    if (regime_translation_disabled(env, mmu_idx)) {
+    if (regime_translation_disabled(env, mmu_idx, is_secure)) {
         /* MPU disabled.  */
         result->phys = address;
         result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
     result->page_size = TARGET_PAGE_SIZE;
     result->prot = 0;
 
-    if (regime_translation_disabled(env, mmu_idx) ||
+    if (regime_translation_disabled(env, mmu_idx, secure) ||
         m_is_ppb_region(env, address)) {
         /*
          * MPU disabled or M profile PPB access: use default memory map.
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
      * are done in arm_v7m_load_vector(), which always does a direct
      * read using address_space_ldl(), rather than going via this function.
      */
-    if (regime_translation_disabled(env, mmu_idx)) { /* MPU disabled */
+    if (regime_translation_disabled(env, mmu_idx, secure)) { /* MPU disabled */
         hit = true;
     } else if (m_is_ppb_region(env, address)) {
         hit = true;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
                                 result, fi);
 
             /* If S1 fails or S2 is disabled, return early.  */
-            if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2)) {
+            if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2,
+                                                   is_secure)) {
                 return ret;
             }
 
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
 
     /* Definitely a real MMU, not an MPU */
 
-    if (regime_translation_disabled(env, mmu_idx)) {
+    if (regime_translation_disabled(env, mmu_idx, is_secure)) {
         uint64_t hcr;
         uint8_t memattr;
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Retain the existing get_phys_addr interface using the security
state derived from mmu_idx.  Move the kerneldoc comments to the
header file where they belong.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 40 ++++++++++++++++++++++++++++++++++++++
 target/arm/ptw.c       | 44 ++++++++++++++----------------------------
 2 files changed, 55 insertions(+), 29 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef struct GetPhysAddrResult {
     ARMCacheAttrs cacheattrs;
 } GetPhysAddrResult;
 
+/**
+ * get_phys_addr_with_secure: get the physical address for a virtual address
+ * @env: CPUARMState
+ * @address: virtual address to get physical address for
+ * @access_type: 0 for read, 1 for write, 2 for execute
+ * @mmu_idx: MMU index indicating required translation regime
+ * @is_secure: security state for the access
+ * @result: set on translation success.
+ * @fi: set to fault info if the translation fails
+ *
+ * Find the physical address corresponding to the given virtual address,
+ * by doing a translation table walk on MMU based systems or using the
+ * MPU state on MPU based systems.
+ *
+ * Returns false if the translation was successful. Otherwise, phys_ptr, attrs,
+ * prot and page_size may not be filled in, and the populated fsr value provides
+ * information on why the translation aborted, in the format of a
+ * DFSR/IFSR fault register, with the following caveats:
+ *  * we honour the short vs long DFSR format differences.
+ *  * the WnR bit is never set (the caller must do this).
+ *  * for PSMAv5 based systems we don't bother to return a full FSR format
+ *    value.
+ */
+bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
+                               MMUAccessType access_type,
+                               ARMMMUIdx mmu_idx, bool is_secure,
+                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
+    __attribute__((nonnull));
+
+/**
+ * get_phys_addr: get the physical address for a virtual address
+ * @env: CPUARMState
+ * @address: virtual address to get physical address for
+ * @access_type: 0 for read, 1 for write, 2 for execute
+ * @mmu_idx: MMU index indicating required translation regime
+ * @result: set on translation success.
+ * @fi: set to fault info if the translation fails
+ *
+ * Similarly, but use the security regime of @mmu_idx.
+ */
 bool get_phys_addr(CPUARMState *env, target_ulong address,
                    MMUAccessType access_type, ARMMMUIdx mmu_idx,
                    GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
     return ret;
 }
 
-/**
- * get_phys_addr - get the physical address for this virtual address
- *
- * Find the physical address corresponding to the given virtual address,
- * by doing a translation table walk on MMU based systems or using the
- * MPU state on MPU based systems.
- *
- * Returns false if the translation was successful. Otherwise, phys_ptr, attrs,
- * prot and page_size may not be filled in, and the populated fsr value provides
- * information on why the translation aborted, in the format of a
- * DFSR/IFSR fault register, with the following caveats:
- *  * we honour the short vs long DFSR format differences.
- *  * the WnR bit is never set (the caller must do this).
- *  * for PSMAv5 based systems we don't bother to return a full FSR format
- *    value.
- *
- * @env: CPUARMState
- * @address: virtual address to get physical address for
- * @access_type: 0 for read, 1 for write, 2 for execute
- * @mmu_idx: MMU index indicating required translation regime
- * @result: set on translation success.
- * @fi: set to fault info if the translation fails
- */
-bool get_phys_addr(CPUARMState *env, target_ulong address,
-                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                   GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
+bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
+                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                               bool is_secure, GetPhysAddrResult *result,
+                               ARMMMUFaultInfo *fi)
 {
     ARMMMUIdx s1_mmu_idx = stage_1_mmu_idx(mmu_idx);
-    bool is_secure = regime_is_secure(env, mmu_idx);
 
     if (mmu_idx != s1_mmu_idx) {
         /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
             ARMMMUIdx s2_mmu_idx;
             bool is_el0;
 
-            ret = get_phys_addr(env, address, access_type, s1_mmu_idx,
-                                result, fi);
+            ret = get_phys_addr_with_secure(env, address, access_type,
+                                            s1_mmu_idx, is_secure, result, fi);
 
             /* If S1 fails or S2 is disabled, return early.  */
             if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
     }
 }
 
+bool get_phys_addr(CPUARMState *env, target_ulong address,
+                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                   GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
+{
+    return get_phys_addr_with_secure(env, address, access_type, mmu_idx,
+                                     regime_is_secure(env, mmu_idx),
+                                     result, fi);
+}
+
 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
                                          MemTxAttrs *attrs)
 {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Remove the use of regime_is_secure from v7m_read_half_insn, using
the new parameter instead.

As it happens, both callers pass true, propagated from the argument
to arm_v7m_mmu_idx_for_secstate which created the mmu_idx argument,
but that is a detail of v7m_handle_execute_nsc we need not expose
to the callee.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/m_helper.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static bool do_v7m_function_return(ARMCPU *cpu)
     return true;
 }
 
-static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
+static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool secure,
                                uint32_t addr, uint16_t *insn)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
     ARMMMUFaultInfo fi = {};
     MemTxResult txres;
 
-    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx,
-                        regime_is_secure(env, mmu_idx), &sattrs);
+    v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, secure, &sattrs);
     if (!sattrs.nsc || sattrs.ns) {
         /*
          * This must be the second half of the insn, and it straddles a
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
     /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
     mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
 
-    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15], &insn)) {
+    if (!v7m_read_half_insn(cpu, mmu_idx, true, env->regs[15], &insn)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
         goto gen_invep;
     }
 
-    if (!v7m_read_half_insn(cpu, mmu_idx, env->regs[15] + 2, &insn)) {
+    if (!v7m_read_half_insn(cpu, mmu_idx, true, env->regs[15] + 2, &insn)) {
         return false;
     }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Remove the use of regime_is_secure from arm_tr_init_disas_context.
Instead, provide the value of v8m_secure directly from tb_flags.
Rather than use regime_is_secure, use the env->v7m.secure directly,
as per arm_mmu_idx_el.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h       | 2 ++
 target/arm/helper.c    | 4 ++++
 target/arm/translate.c | 3 +--
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_M32, NEW_FP_CTXT_NEEDED, 3, 1)     /* Not cached. */
 FIELD(TBFLAG_M32, FPCCR_S_WRONG, 4, 1)          /* Not cached. */
 /* Set if MVE insns are definitely not predicated by VPR or LTPSIZE */
 FIELD(TBFLAG_M32, MVE_NO_PRED, 5, 1)            /* Not cached. */
+/* Set if in secure mode */
+FIELD(TBFLAG_M32, SECURE, 6, 1)
 
 /*
  * Bit usage when in AArch64 state
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_m32(CPUARMState *env, int fp_el,
         DP_TBFLAG_M32(flags, STACKCHECK, 1);
     }
 
+    if (arm_feature(env, ARM_FEATURE_M_SECURITY) && env->v7m.secure) {
+        DP_TBFLAG_M32(flags, SECURE, 1);
+    }
+
     return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
 }
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
         dc->vfp_enabled = 1;
         dc->be_data = MO_TE;
         dc->v7m_handler_mode = EX_TBFLAG_M32(tb_flags, HANDLER);
-        dc->v8m_secure = arm_feature(env, ARM_FEATURE_M_SECURITY) &&
-            regime_is_secure(env, dc->mmu_idx);
+        dc->v8m_secure = EX_TBFLAG_M32(tb_flags, SECURE);
         dc->v8m_stackcheck = EX_TBFLAG_M32(tb_flags, STACKCHECK);
         dc->v8m_fpccr_s_wrong = EX_TBFLAG_M32(tb_flags, FPCCR_S_WRONG);
         dc->v7m_new_fp_ctxt_needed =
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This is the last use of regime_is_secure; remove it
entirely before changing the layout of ARMMMUIdx.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 42 ----------------------------------------
 target/arm/ptw.c       | 44 ++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 42 insertions(+), 44 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline bool regime_has_2_ranges(ARMMMUIdx mmu_idx)
     }
 }
 
-/* Return true if this address translation regime is secure */
-static inline bool regime_is_secure(CPUARMState *env, ARMMMUIdx mmu_idx)
-{
-    switch (mmu_idx) {
-    case ARMMMUIdx_E10_0:
-    case ARMMMUIdx_E10_1:
-    case ARMMMUIdx_E10_1_PAN:
-    case ARMMMUIdx_E20_0:
-    case ARMMMUIdx_E20_2:
-    case ARMMMUIdx_E20_2_PAN:
-    case ARMMMUIdx_Stage1_E0:
-    case ARMMMUIdx_Stage1_E1:
-    case ARMMMUIdx_Stage1_E1_PAN:
-    case ARMMMUIdx_E2:
-    case ARMMMUIdx_Stage2:
-    case ARMMMUIdx_MPrivNegPri:
-    case ARMMMUIdx_MUserNegPri:
-    case ARMMMUIdx_MPriv:
-    case ARMMMUIdx_MUser:
-        return false;
-    case ARMMMUIdx_SE3:
-    case ARMMMUIdx_SE10_0:
-    case ARMMMUIdx_SE10_1:
-    case ARMMMUIdx_SE10_1_PAN:
-    case ARMMMUIdx_SE20_0:
-    case ARMMMUIdx_SE20_2:
-    case ARMMMUIdx_SE20_2_PAN:
-    case ARMMMUIdx_Stage1_SE0:
-    case ARMMMUIdx_Stage1_SE1:
-    case ARMMMUIdx_Stage1_SE1_PAN:
-    case ARMMMUIdx_SE2:
-    case ARMMMUIdx_Stage2_S:
-    case ARMMMUIdx_MSPrivNegPri:
-    case ARMMMUIdx_MSUserNegPri:
-    case ARMMMUIdx_MSPriv:
-    case ARMMMUIdx_MSUser:
-        return true;
-    default:
-        g_assert_not_reached();
-    }
-}
-
 static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
     switch (mmu_idx) {
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
                    MMUAccessType access_type, ARMMMUIdx mmu_idx,
                    GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 {
+    bool is_secure;
+
+    switch (mmu_idx) {
+    case ARMMMUIdx_E10_0:
+    case ARMMMUIdx_E10_1:
+    case ARMMMUIdx_E10_1_PAN:
+    case ARMMMUIdx_E20_0:
+    case ARMMMUIdx_E20_2:
+    case ARMMMUIdx_E20_2_PAN:
+    case ARMMMUIdx_Stage1_E0:
+    case ARMMMUIdx_Stage1_E1:
+    case ARMMMUIdx_Stage1_E1_PAN:
+    case ARMMMUIdx_E2:
+    case ARMMMUIdx_Stage2:
+    case ARMMMUIdx_MPrivNegPri:
+    case ARMMMUIdx_MUserNegPri:
+    case ARMMMUIdx_MPriv:
+    case ARMMMUIdx_MUser:
+        is_secure = false;
+        break;
+    case ARMMMUIdx_SE3:
+    case ARMMMUIdx_SE10_0:
+    case ARMMMUIdx_SE10_1:
+    case ARMMMUIdx_SE10_1_PAN:
+    case ARMMMUIdx_SE20_0:
+    case ARMMMUIdx_SE20_2:
+    case ARMMMUIdx_SE20_2_PAN:
+    case ARMMMUIdx_Stage1_SE0:
+    case ARMMMUIdx_Stage1_SE1:
+    case ARMMMUIdx_Stage1_SE1_PAN:
+    case ARMMMUIdx_SE2:
+    case ARMMMUIdx_Stage2_S:
+    case ARMMMUIdx_MSPrivNegPri:
+    case ARMMMUIdx_MSUserNegPri:
+    case ARMMMUIdx_MSPriv:
+    case ARMMMUIdx_MSUser:
+        is_secure = true;
+        break;
+    default:
+        g_assert_not_reached();
+    }
     return get_phys_addr_with_secure(env, address, access_type, mmu_idx,
-                                     regime_is_secure(env, mmu_idx),
-                                     result, fi);
+                                     is_secure, result, fi);
 }
 
 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Use get_phys_addr_with_secure directly.  For a-profile, this is the
one place where the value of is_secure may not equal arm_is_secure(env).

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri,
 
 #ifdef CONFIG_TCG
 static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-                             MMUAccessType access_type, ARMMMUIdx mmu_idx)
+                             MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                             bool is_secure)
 {
     bool ret;
     uint64_t par64;
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
     ARMMMUFaultInfo fi = {};
     GetPhysAddrResult res = {};
 
-    ret = get_phys_addr(env, value, access_type, mmu_idx, &res, &fi);
+    ret = get_phys_addr_with_secure(env, value, access_type, mmu_idx,
+                                    is_secure, &res, &fi);
 
     /*
      * ATS operations only do S1 or S1+S2 translations, so we never
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         switch (el) {
         case 3:
             mmu_idx = ARMMMUIdx_SE3;
+            secure = true;
             break;
         case 2:
             g_assert(!secure);  /* ARMv8.4-SecEL2 is 64-bit only */
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         switch (el) {
         case 3:
             mmu_idx = ARMMMUIdx_SE10_0;
+            secure = true;
             break;
         case 2:
             g_assert(!secure);  /* ARMv8.4-SecEL2 is 64-bit only */
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
     case 4:
         /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */
         mmu_idx = ARMMMUIdx_E10_1;
+        secure = false;
         break;
     case 6:
         /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */
         mmu_idx = ARMMMUIdx_E10_0;
+        secure = false;
         break;
     default:
         g_assert_not_reached();
     }
 
-    par64 = do_ats_write(env, value, access_type, mmu_idx);
+    par64 = do_ats_write(env, value, access_type, mmu_idx, secure);
 
     A32_BANKED_CURRENT_REG_SET(env, par, par64);
 #else
@@ -XXX,XX +XXX,XX @@ static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
     MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD;
     uint64_t par64;
 
-    par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2);
+    /* There is no SecureEL2 for AArch32. */
+    par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2, false);
 
     A32_BANKED_CURRENT_REG_SET(env, par, par64);
 #else
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
             break;
         case 6: /* AT S1E3R, AT S1E3W */
             mmu_idx = ARMMMUIdx_SE3;
+            secure = true;
             break;
         default:
             g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
         g_assert_not_reached();
     }
 
-    env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx);
+    env->cp15.par_el[1] = do_ats_write(env, value, access_type,
+                                       mmu_idx, secure);
 #else
     /* Handled by hardware accelerator. */
     g_assert_not_reached();
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

For a-profile aarch64, which does not bank system registers, it takes
quite a lot of code to switch between security states.  In the process,
registers such as TCR_EL{1,2} must be swapped, which in itself requires
the flushing of softmmu tlbs.  Therefore it doesn't buy us anything to
separate tlbs by security state.

Retain the distinction between Stage2 and Stage2_S.

This will be important as we implement FEAT_RME, and do not wish to
add a third set of mmu indexes for Realm state.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu-param.h     |   2 +-
 target/arm/cpu.h           |  72 +++++++------------
 target/arm/internals.h     |  31 +-------
 target/arm/helper.c        | 144 +++++++++++++------------------------
 target/arm/ptw.c           |  25 ++-----
 target/arm/translate-a64.c |   8 ---
 target/arm/translate.c     |   6 +-
 7 files changed, 85 insertions(+), 203 deletions(-)

diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu-param.h
+++ b/target/arm/cpu-param.h
@@ -XXX,XX +XXX,XX @@
 # define TARGET_PAGE_BITS_MIN  10
 #endif
 
-#define NB_MMU_MODES 15
+#define NB_MMU_MODES 8
 
 #endif
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
  *     table over and over.
  *  6. we need separate EL1/EL2 mmu_idx for handling the Privileged Access
  *     Never (PAN) bit within PSTATE.
+ *  7. we fold together the secure and non-secure regimes for A-profile,
+ *     because there are no banked system registers for aarch64, so the
+ *     process of switching between secure and non-secure is
+ *     already heavyweight.
  *
  * This gives us the following list of cases:
  *
- * NS EL0 EL1&0 stage 1+2 (aka NS PL0)
- * NS EL1 EL1&0 stage 1+2 (aka NS PL1)
- * NS EL1 EL1&0 stage 1+2 +PAN
- * NS EL0 EL2&0
- * NS EL2 EL2&0
- * NS EL2 EL2&0 +PAN
- * NS EL2 (aka NS PL2)
- * S EL0 EL1&0 (aka S PL0)
- * S EL1 EL1&0 (not used if EL3 is 32 bit)
- * S EL1 EL1&0 +PAN
- * S EL3 (aka S PL1)
+ * EL0 EL1&0 stage 1+2 (aka NS PL0)
+ * EL1 EL1&0 stage 1+2 (aka NS PL1)
+ * EL1 EL1&0 stage 1+2 +PAN
+ * EL0 EL2&0
+ * EL2 EL2&0
+ * EL2 EL2&0 +PAN
+ * EL2 (aka NS PL2)
+ * EL3 (aka S PL1)
  *
- * for a total of 11 different mmu_idx.
+ * for a total of 8 different mmu_idx.
  *
  * R profile CPUs have an MPU, but can use the same set of MMU indexes
- * as A profile. They only need to distinguish NS EL0 and NS EL1 (and
- * NS EL2 if we ever model a Cortex-R52).
+ * as A profile. They only need to distinguish EL0 and EL1 (and
+ * EL2 if we ever model a Cortex-R52).
  *
  * M profile CPUs are rather different as they do not have a true MMU.
  * They have the following different MMU indexes:
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
 #define ARM_MMU_IDX_NOTLB 0x20  /* does not have a TLB */
 #define ARM_MMU_IDX_M     0x40  /* M profile */
 
-/* Meanings of the bits for A profile mmu idx values */
-#define ARM_MMU_IDX_A_NS     0x8
-
 /* Meanings of the bits for M profile mmu idx values */
 #define ARM_MMU_IDX_M_PRIV   0x1
 #define ARM_MMU_IDX_M_NEGPRI 0x2
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
     /*
      * A-profile.
      */
-    ARMMMUIdx_SE10_0     =  0 | ARM_MMU_IDX_A,
-    ARMMMUIdx_SE20_0     =  1 | ARM_MMU_IDX_A,
-    ARMMMUIdx_SE10_1     =  2 | ARM_MMU_IDX_A,
-    ARMMMUIdx_SE20_2     =  3 | ARM_MMU_IDX_A,
-    ARMMMUIdx_SE10_1_PAN =  4 | ARM_MMU_IDX_A,
-    ARMMMUIdx_SE20_2_PAN =  5 | ARM_MMU_IDX_A,
-    ARMMMUIdx_SE2        =  6 | ARM_MMU_IDX_A,
-    ARMMMUIdx_SE3        =  7 | ARM_MMU_IDX_A,
-
-    ARMMMUIdx_E10_0     = ARMMMUIdx_SE10_0 | ARM_MMU_IDX_A_NS,
-    ARMMMUIdx_E20_0     = ARMMMUIdx_SE20_0 | ARM_MMU_IDX_A_NS,
-    ARMMMUIdx_E10_1     = ARMMMUIdx_SE10_1 | ARM_MMU_IDX_A_NS,
-    ARMMMUIdx_E20_2     = ARMMMUIdx_SE20_2 | ARM_MMU_IDX_A_NS,
-    ARMMMUIdx_E10_1_PAN = ARMMMUIdx_SE10_1_PAN | ARM_MMU_IDX_A_NS,
-    ARMMMUIdx_E20_2_PAN = ARMMMUIdx_SE20_2_PAN | ARM_MMU_IDX_A_NS,
-    ARMMMUIdx_E2        = ARMMMUIdx_SE2 | ARM_MMU_IDX_A_NS,
+    ARMMMUIdx_E10_0     = 0 | ARM_MMU_IDX_A,
+    ARMMMUIdx_E20_0     = 1 | ARM_MMU_IDX_A,
+    ARMMMUIdx_E10_1     = 2 | ARM_MMU_IDX_A,
+    ARMMMUIdx_E20_2     = 3 | ARM_MMU_IDX_A,
+    ARMMMUIdx_E10_1_PAN = 4 | ARM_MMU_IDX_A,
+    ARMMMUIdx_E20_2_PAN = 5 | ARM_MMU_IDX_A,
+    ARMMMUIdx_E2        = 6 | ARM_MMU_IDX_A,
+    ARMMMUIdx_E3        = 7 | ARM_MMU_IDX_A,
 
     /*
      * These are not allocated TLBs and are used only for AT system
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
     ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB,
     ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB,
     ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB,
-    ARMMMUIdx_Stage1_SE0 = 3 | ARM_MMU_IDX_NOTLB,
-    ARMMMUIdx_Stage1_SE1 = 4 | ARM_MMU_IDX_NOTLB,
-    ARMMMUIdx_Stage1_SE1_PAN = 5 | ARM_MMU_IDX_NOTLB,
     /*
      * Not allocated a TLB: used only for second stage of an S12 page
      * table walk, or for descriptor loads during first stage of an S1
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
      * then various TLB flush insns which currently are no-ops or flush
      * only stage 1 MMU indexes will need to change to flush stage 2.
      */
-    ARMMMUIdx_Stage2     = 6 | ARM_MMU_IDX_NOTLB,
-    ARMMMUIdx_Stage2_S   = 7 | ARM_MMU_IDX_NOTLB,
+    ARMMMUIdx_Stage2     = 3 | ARM_MMU_IDX_NOTLB,
+    ARMMMUIdx_Stage2_S   = 4 | ARM_MMU_IDX_NOTLB,
 
     /*
      * M-profile.
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdxBit {
     TO_CORE_BIT(E2),
     TO_CORE_BIT(E20_2),
     TO_CORE_BIT(E20_2_PAN),
-    TO_CORE_BIT(SE10_0),
-    TO_CORE_BIT(SE20_0),
-    TO_CORE_BIT(SE10_1),
-    TO_CORE_BIT(SE20_2),
-    TO_CORE_BIT(SE10_1_PAN),
-    TO_CORE_BIT(SE20_2_PAN),
-    TO_CORE_BIT(SE2),
-    TO_CORE_BIT(SE3),
+    TO_CORE_BIT(E3),
 
     TO_CORE_BIT(MUser),
     TO_CORE_BIT(MPriv),
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline bool regime_has_2_ranges(ARMMMUIdx mmu_idx)
     case ARMMMUIdx_Stage1_E0:
     case ARMMMUIdx_Stage1_E1:
     case ARMMMUIdx_Stage1_E1_PAN:
-    case ARMMMUIdx_Stage1_SE0:
-    case ARMMMUIdx_Stage1_SE1:
-    case ARMMMUIdx_Stage1_SE1_PAN:
     case ARMMMUIdx_E10_0:
     case ARMMMUIdx_E10_1:
     case ARMMMUIdx_E10_1_PAN:
     case ARMMMUIdx_E20_0:
     case ARMMMUIdx_E20_2:
     case ARMMMUIdx_E20_2_PAN:
-    case ARMMMUIdx_SE10_0:
-    case ARMMMUIdx_SE10_1:
-    case ARMMMUIdx_SE10_1_PAN:
-    case ARMMMUIdx_SE20_0:
-    case ARMMMUIdx_SE20_2:
-    case ARMMMUIdx_SE20_2_PAN:
         return true;
     default:
         return false;
@@ -XXX,XX +XXX,XX @@ static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
     switch (mmu_idx) {
     case ARMMMUIdx_Stage1_E1_PAN:
-    case ARMMMUIdx_Stage1_SE1_PAN:
     case ARMMMUIdx_E10_1_PAN:
     case ARMMMUIdx_E20_2_PAN:
-    case ARMMMUIdx_SE10_1_PAN:
-    case ARMMMUIdx_SE20_2_PAN:
         return true;
     default:
         return false;
@@ -XXX,XX +XXX,XX @@ static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
 static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
     switch (mmu_idx) {
-    case ARMMMUIdx_SE20_0:
-    case ARMMMUIdx_SE20_2:
-    case ARMMMUIdx_SE20_2_PAN:
     case ARMMMUIdx_E20_0:
     case ARMMMUIdx_E20_2:
     case ARMMMUIdx_E20_2_PAN:
     case ARMMMUIdx_Stage2:
     case ARMMMUIdx_Stage2_S:
-    case ARMMMUIdx_SE2:
     case ARMMMUIdx_E2:
         return 2;
-    case ARMMMUIdx_SE3:
+    case ARMMMUIdx_E3:
         return 3;
-    case ARMMMUIdx_SE10_0:
-    case ARMMMUIdx_Stage1_SE0:
-        return arm_el_is_aa64(env, 3) ? 1 : 3;
-    case ARMMMUIdx_SE10_1:
-    case ARMMMUIdx_SE10_1_PAN:
+    case ARMMMUIdx_E10_0:
     case ARMMMUIdx_Stage1_E0:
+        return arm_el_is_aa64(env, 3) || !arm_is_secure_below_el3(env) ? 1 : 3;
     case ARMMMUIdx_Stage1_E1:
     case ARMMMUIdx_Stage1_E1_PAN:
-    case ARMMMUIdx_Stage1_SE1:
-    case ARMMMUIdx_Stage1_SE1_PAN:
-    case ARMMMUIdx_E10_0:
     case ARMMMUIdx_E10_1:
     case ARMMMUIdx_E10_1_PAN:
     case ARMMMUIdx_MPrivNegPri:
@@ -XXX,XX +XXX,XX @@ static inline bool arm_mmu_idx_is_stage1_of_2(ARMMMUIdx mmu_idx)
     case ARMMMUIdx_Stage1_E0:
     case ARMMMUIdx_Stage1_E1:
     case ARMMMUIdx_Stage1_E1_PAN:
-    case ARMMMUIdx_Stage1_SE0:
-    case ARMMMUIdx_Stage1_SE1:
-    case ARMMMUIdx_Stage1_SE1_PAN:
         return true;
     default:
         return false;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
     /* Begin with base v8.0 state.  */
     uint64_t valid_mask = 0x3fff;
     ARMCPU *cpu = env_archcpu(env);
+    uint64_t changed;
 
     /*
      * Because SCR_EL3 is the "real" cpreg and SCR is the alias, reset always
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
 
     /* Clear all-context RES0 bits.  */
     value &= valid_mask;
-    raw_write(env, ri, value);
+    changed = env->cp15.scr_el3 ^ value;
+    env->cp15.scr_el3 = value;
+
+    /*
+     * If SCR_EL3.NS changes, i.e. arm_is_secure_below_el3, then
+     * we must invalidate all TLBs below EL3.
+     */
+    if (changed & SCR_NS) {
+        tlb_flush_by_mmuidx(env_cpu(env), (ARMMMUIdxBit_E10_0 |
+                                           ARMMMUIdxBit_E20_0 |
+                                           ARMMMUIdxBit_E10_1 |
+                                           ARMMMUIdxBit_E20_2 |
+                                           ARMMMUIdxBit_E10_1_PAN |
+                                           ARMMMUIdxBit_E20_2_PAN |
+                                           ARMMMUIdxBit_E2));
+    }
 }
 
 static void scr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static int gt_phys_redir_timeridx(CPUARMState *env)
     case ARMMMUIdx_E20_0:
     case ARMMMUIdx_E20_2:
     case ARMMMUIdx_E20_2_PAN:
-    case ARMMMUIdx_SE20_0:
-    case ARMMMUIdx_SE20_2:
-    case ARMMMUIdx_SE20_2_PAN:
         return GTIMER_HYP;
     default:
         return GTIMER_PHYS;
@@ -XXX,XX +XXX,XX @@ static int gt_virt_redir_timeridx(CPUARMState *env)
     case ARMMMUIdx_E20_0:
     case ARMMMUIdx_E20_2:
     case ARMMMUIdx_E20_2_PAN:
-    case ARMMMUIdx_SE20_0:
-    case ARMMMUIdx_SE20_2:
-    case ARMMMUIdx_SE20_2_PAN:
         return GTIMER_HYPVIRT;
     default:
         return GTIMER_VIRT;
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         /* stage 1 current state PL1: ATS1CPR, ATS1CPW, ATS1CPRP, ATS1CPWP */
         switch (el) {
         case 3:
-            mmu_idx = ARMMMUIdx_SE3;
+            mmu_idx = ARMMMUIdx_E3;
             secure = true;
             break;
         case 2:
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
             /* fall through */
         case 1:
             if (ri->crm == 9 && (env->uncached_cpsr & CPSR_PAN)) {
-                mmu_idx = (secure ? ARMMMUIdx_Stage1_SE1_PAN
-                           : ARMMMUIdx_Stage1_E1_PAN);
+                mmu_idx = ARMMMUIdx_Stage1_E1_PAN;
             } else {
-                mmu_idx = secure ? ARMMMUIdx_Stage1_SE1 : ARMMMUIdx_Stage1_E1;
+                mmu_idx = ARMMMUIdx_Stage1_E1;
             }
             break;
         default:
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         /* stage 1 current state PL0: ATS1CUR, ATS1CUW */
         switch (el) {
         case 3:
-            mmu_idx = ARMMMUIdx_SE10_0;
+            mmu_idx = ARMMMUIdx_E10_0;
             secure = true;
             break;
         case 2:
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
             mmu_idx = ARMMMUIdx_Stage1_E0;
             break;
         case 1:
-            mmu_idx = secure ? ARMMMUIdx_Stage1_SE0 : ARMMMUIdx_Stage1_E0;
+            mmu_idx = ARMMMUIdx_Stage1_E0;
             break;
         default:
             g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
         switch (ri->opc1) {
         case 0: /* AT S1E1R, AT S1E1W, AT S1E1RP, AT S1E1WP */
             if (ri->crm == 9 && (env->pstate & PSTATE_PAN)) {
-                mmu_idx = (secure ? ARMMMUIdx_Stage1_SE1_PAN
-                           : ARMMMUIdx_Stage1_E1_PAN);
+                mmu_idx = ARMMMUIdx_Stage1_E1_PAN;
             } else {
-                mmu_idx = secure ? ARMMMUIdx_Stage1_SE1 : ARMMMUIdx_Stage1_E1;
+                mmu_idx = ARMMMUIdx_Stage1_E1;
             }
             break;
         case 4: /* AT S1E2R, AT S1E2W */
-            mmu_idx = secure ? ARMMMUIdx_SE2 : ARMMMUIdx_E2;
+            mmu_idx = ARMMMUIdx_E2;
             break;
         case 6: /* AT S1E3R, AT S1E3W */
-            mmu_idx = ARMMMUIdx_SE3;
+            mmu_idx = ARMMMUIdx_E3;
             secure = true;
             break;
         default:
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
         }
         break;
     case 2: /* AT S1E0R, AT S1E0W */
-        mmu_idx = secure ? ARMMMUIdx_Stage1_SE0 : ARMMMUIdx_Stage1_E0;
+        mmu_idx = ARMMMUIdx_Stage1_E0;
         break;
     case 4: /* AT S12E1R, AT S12E1W */
-        mmu_idx = secure ? ARMMMUIdx_SE10_1 : ARMMMUIdx_E10_1;
+        mmu_idx = ARMMMUIdx_E10_1;
         break;
     case 6: /* AT S12E0R, AT S12E0W */
-        mmu_idx = secure ? ARMMMUIdx_SE10_0 : ARMMMUIdx_E10_0;
+        mmu_idx = ARMMMUIdx_E10_0;
         break;
     default:
         g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void vmsa_tcr_ttbr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,
         uint16_t mask = ARMMMUIdxBit_E20_2 |
                         ARMMMUIdxBit_E20_2_PAN |
                         ARMMMUIdxBit_E20_0;
-
-        if (arm_is_secure_below_el3(env)) {
-            mask >>= ARM_MMU_IDX_A_NS;
-        }
-
         tlb_flush_by_mmuidx(env_cpu(env), mask);
     }
     raw_write(env, ri, value);
@@ -XXX,XX +XXX,XX @@ static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
         uint16_t mask = ARMMMUIdxBit_E10_1 |
                         ARMMMUIdxBit_E10_1_PAN |
                         ARMMMUIdxBit_E10_0;
-
-        if (arm_is_secure_below_el3(env)) {
-            mask >>= ARM_MMU_IDX_A_NS;
-        }
-
         tlb_flush_by_mmuidx(cs, mask);
         raw_write(env, ri, value);
     }
@@ -XXX,XX +XXX,XX @@ static int vae1_tlbmask(CPUARMState *env)
                ARMMMUIdxBit_E10_1_PAN |
                ARMMMUIdxBit_E10_0;
     }
-
-    if (arm_is_secure_below_el3(env)) {
-        mask >>= ARM_MMU_IDX_A_NS;
-    }
-
     return mask;
 }
 
@@ -XXX,XX +XXX,XX @@ static int vae1_tlbbits(CPUARMState *env, uint64_t addr)
         mmu_idx = ARMMMUIdx_E10_0;
     }
 
-    if (arm_is_secure_below_el3(env)) {
-        mmu_idx &= ~ARM_MMU_IDX_A_NS;
-    }
-
     return tlbbits_for_regime(env, mmu_idx, addr);
 }
 
@@ -XXX,XX +XXX,XX @@ static int alle1_tlbmask(CPUARMState *env)
      * stage 2 translations, whereas most other scopes only invalidate
      * stage 1 translations.
      */
-    if (arm_is_secure_below_el3(env)) {
-        return ARMMMUIdxBit_SE10_1 |
-               ARMMMUIdxBit_SE10_1_PAN |
-               ARMMMUIdxBit_SE10_0;
-    } else {
-        return ARMMMUIdxBit_E10_1 |
-               ARMMMUIdxBit_E10_1_PAN |
-               ARMMMUIdxBit_E10_0;
-    }
+    return (ARMMMUIdxBit_E10_1 |
+            ARMMMUIdxBit_E10_1_PAN |
+            ARMMMUIdxBit_E10_0);
 }
 
 static int e2_tlbmask(CPUARMState *env)
 {
-    if (arm_is_secure_below_el3(env)) {
-        return ARMMMUIdxBit_SE20_0 |
-               ARMMMUIdxBit_SE20_2 |
-               ARMMMUIdxBit_SE20_2_PAN |
-               ARMMMUIdxBit_SE2;
-    } else {
-        return ARMMMUIdxBit_E20_0 |
-               ARMMMUIdxBit_E20_2 |
-               ARMMMUIdxBit_E20_2_PAN |
-               ARMMMUIdxBit_E2;
-    }
+    return (ARMMMUIdxBit_E20_0 |
+            ARMMMUIdxBit_E20_2 |
+            ARMMMUIdxBit_E20_2_PAN |
+            ARMMMUIdxBit_E2);
 }
 
 static void tlbi_aa64_alle1_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_alle3_write(CPUARMState *env, const ARMCPRegInfo *ri,
     ARMCPU *cpu = env_archcpu(env);
     CPUState *cs = CPU(cpu);
 
-    tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_SE3);
+    tlb_flush_by_mmuidx(cs, ARMMMUIdxBit_E3);
 }
 
 static void tlbi_aa64_alle1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_alle3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     CPUState *cs = env_cpu(env);
 
-    tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_SE3);
+    tlb_flush_by_mmuidx_all_cpus_synced(cs, ARMMMUIdxBit_E3);
 }
 
 static void tlbi_aa64_vae2_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae3_write(CPUARMState *env, const ARMCPRegInfo *ri,
     CPUState *cs = CPU(cpu);
     uint64_t pageaddr = sextract64(value << 12, 0, 56);
 
-    tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_SE3);
+    tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_E3);
 }
 
 static void tlbi_aa64_vae1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae2is_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     CPUState *cs = env_cpu(env);
     uint64_t pageaddr = sextract64(value << 12, 0, 56);
-    bool secure = arm_is_secure_below_el3(env);
-    int mask = secure ? ARMMMUIdxBit_SE2 : ARMMMUIdxBit_E2;
-    int bits = tlbbits_for_regime(env, secure ? ARMMMUIdx_SE2 : ARMMMUIdx_E2,
-                                  pageaddr);
+    int bits = tlbbits_for_regime(env, ARMMMUIdx_E2, pageaddr);
 
-    tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, mask, bits);
+    tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr,
+                                                  ARMMMUIdxBit_E2, bits);
 }
 
 static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     CPUState *cs = env_cpu(env);
     uint64_t pageaddr = sextract64(value << 12, 0, 56);
-    int bits = tlbbits_for_regime(env, ARMMMUIdx_SE3, pageaddr);
+    int bits = tlbbits_for_regime(env, ARMMMUIdx_E3, pageaddr);
 
     tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr,
-                                                  ARMMMUIdxBit_SE3, bits);
+                                                  ARMMMUIdxBit_E3, bits);
 }
 
 #ifdef TARGET_AARCH64
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae1is_write(CPUARMState *env,
 
 static int vae2_tlbmask(CPUARMState *env)
 {
-    return (arm_is_secure_below_el3(env)
-            ? ARMMMUIdxBit_SE2 : ARMMMUIdxBit_E2);
+    return ARMMMUIdxBit_E2;
 }
 
 static void tlbi_aa64_rvae2_write(CPUARMState *env,
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae3_write(CPUARMState *env,
      * flush-last-level-only.
      */
 
-    do_rvae_write(env, value, ARMMMUIdxBit_SE3,
-                  tlb_force_broadcast(env));
+    do_rvae_write(env, value, ARMMMUIdxBit_E3, tlb_force_broadcast(env));
 }
 
 static void tlbi_aa64_rvae3is_write(CPUARMState *env,
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae3is_write(CPUARMState *env,
      * flush-last-level-only or inner/outer specific flushes.
      */
 
-    do_rvae_write(env, value, ARMMMUIdxBit_SE3, true);
+    do_rvae_write(env, value, ARMMMUIdxBit_E3, true);
 }
 #endif
 
@@ -XXX,XX +XXX,XX @@ uint64_t arm_sctlr(CPUARMState *env, int el)
     /* Only EL0 needs to be adjusted for EL1&0 or EL2&0. */
     if (el == 0) {
         ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0);
-        el = (mmu_idx == ARMMMUIdx_E20_0 || mmu_idx == ARMMMUIdx_SE20_0)
-             ? 2 : 1;
+        el = mmu_idx == ARMMMUIdx_E20_0 ? 2 : 1;
     }
     return env->cp15.sctlr_el[el];
 }
@@ -XXX,XX +XXX,XX @@ int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx)
     switch (mmu_idx) {
     case ARMMMUIdx_E10_0:
     case ARMMMUIdx_E20_0:
-    case ARMMMUIdx_SE10_0:
-    case ARMMMUIdx_SE20_0:
         return 0;
     case ARMMMUIdx_E10_1:
     case ARMMMUIdx_E10_1_PAN:
-    case ARMMMUIdx_SE10_1:
-    case ARMMMUIdx_SE10_1_PAN:
         return 1;
     case ARMMMUIdx_E2:
     case ARMMMUIdx_E20_2:
     case ARMMMUIdx_E20_2_PAN:
-    case ARMMMUIdx_SE2:
-    case ARMMMUIdx_SE20_2:
-    case ARMMMUIdx_SE20_2_PAN:
         return 2;
-    case ARMMMUIdx_SE3:
+    case ARMMMUIdx_E3:
         return 3;
     default:
         g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ ARMMMUIdx arm_mmu_idx_el(CPUARMState *env, int el)
         }
         break;
     case 3:
-        return ARMMMUIdx_SE3;
+        return ARMMMUIdx_E3;
     default:
         g_assert_not_reached();
     }
 
-    if (arm_is_secure_below_el3(env)) {
-        idx &= ~ARM_MMU_IDX_A_NS;
-    }
-
     return idx;
 }
 
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
         switch (mmu_idx) {
         case ARMMMUIdx_E10_1:
         case ARMMMUIdx_E10_1_PAN:
-        case ARMMMUIdx_SE10_1:
-        case ARMMMUIdx_SE10_1_PAN:
             /* TODO: ARMv8.3-NV */
             DP_TBFLAG_A64(flags, UNPRIV, 1);
             break;
         case ARMMMUIdx_E20_2:
         case ARMMMUIdx_E20_2_PAN:
-        case ARMMMUIdx_SE20_2:
-        case ARMMMUIdx_SE20_2_PAN:
             /*
              * Note that EL20_2 is gated by HCR_EL2.E2H == 1, but EL20_0 is
              * gated by HCR_EL2.<E2H,TGE> == '11', and so is LDTR.
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ unsigned int arm_pamax(ARMCPU *cpu)
 ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
 {
     switch (mmu_idx) {
-    case ARMMMUIdx_SE10_0:
-        return ARMMMUIdx_Stage1_SE0;
-    case ARMMMUIdx_SE10_1:
-        return ARMMMUIdx_Stage1_SE1;
-    case ARMMMUIdx_SE10_1_PAN:
-        return ARMMMUIdx_Stage1_SE1_PAN;
     case ARMMMUIdx_E10_0:
         return ARMMMUIdx_Stage1_E0;
     case ARMMMUIdx_E10_1:
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx)
 static bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
     switch (mmu_idx) {
-    case ARMMMUIdx_SE10_0:
     case ARMMMUIdx_E20_0:
-    case ARMMMUIdx_SE20_0:
     case ARMMMUIdx_Stage1_E0:
-    case ARMMMUIdx_Stage1_SE0:
     case ARMMMUIdx_MUser:
     case ARMMMUIdx_MSUser:
     case ARMMMUIdx_MUserNegPri:
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
 
             s2_mmu_idx = (s2walk_secure
                           ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2);
-            is_el0 = mmu_idx == ARMMMUIdx_E10_0 || mmu_idx == ARMMMUIdx_SE10_0;
+            is_el0 = mmu_idx == ARMMMUIdx_E10_0;
 
             /*
              * S1 is done, now do S2 translation.
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
     case ARMMMUIdx_Stage1_E1:
     case ARMMMUIdx_Stage1_E1_PAN:
     case ARMMMUIdx_E2:
+        is_secure = arm_is_secure_below_el3(env);
+        break;
     case ARMMMUIdx_Stage2:
     case ARMMMUIdx_MPrivNegPri:
     case ARMMMUIdx_MUserNegPri:
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
     case ARMMMUIdx_MUser:
         is_secure = false;
         break;
-    case ARMMMUIdx_SE3:
-    case ARMMMUIdx_SE10_0:
-    case ARMMMUIdx_SE10_1:
-    case ARMMMUIdx_SE10_1_PAN:
-    case ARMMMUIdx_SE20_0:
-    case ARMMMUIdx_SE20_2:
-    case ARMMMUIdx_SE20_2_PAN:
-    case ARMMMUIdx_Stage1_SE0:
-    case ARMMMUIdx_Stage1_SE1:
-    case ARMMMUIdx_Stage1_SE1_PAN:
-    case ARMMMUIdx_SE2:
+    case ARMMMUIdx_E3:
     case ARMMMUIdx_Stage2_S:
     case ARMMMUIdx_MSPrivNegPri:
     case ARMMMUIdx_MSUserNegPri:
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static int get_a64_user_mem_index(DisasContext *s)
         case ARMMMUIdx_E20_2_PAN:
             useridx = ARMMMUIdx_E20_0;
             break;
-        case ARMMMUIdx_SE10_1:
-        case ARMMMUIdx_SE10_1_PAN:
-            useridx = ARMMMUIdx_SE10_0;
-            break;
-        case ARMMMUIdx_SE20_2:
-        case ARMMMUIdx_SE20_2_PAN:
-            useridx = ARMMMUIdx_SE20_0;
-            break;
         default:
             g_assert_not_reached();
         }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline int get_a32_user_mem_index(DisasContext *s)
      *  otherwise, access as if at PL0.
      */
     switch (s->mmu_idx) {
+    case ARMMMUIdx_E3:
     case ARMMMUIdx_E2:        /* this one is UNPREDICTABLE */
     case ARMMMUIdx_E10_0:
     case ARMMMUIdx_E10_1:
     case ARMMMUIdx_E10_1_PAN:
         return arm_to_core_mmu_idx(ARMMMUIdx_E10_0);
-    case ARMMMUIdx_SE3:
-    case ARMMMUIdx_SE10_0:
-    case ARMMMUIdx_SE10_1:
-    case ARMMMUIdx_SE10_1_PAN:
-        return arm_to_core_mmu_idx(ARMMMUIdx_SE10_0);
     case ARMMMUIdx_MUser:
     case ARMMMUIdx_MPriv:
         return arm_to_core_mmu_idx(ARMMMUIdx_MUser);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Use a switch on mmu_idx for the a-profile indexes, instead of
three different if's vs regime_el and arm_mmu_idx_is_stage1_of_2.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
 
     hcr_el2 = arm_hcr_el2_eff(env);
 
-    if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+    switch (mmu_idx) {
+    case ARMMMUIdx_Stage2:
+    case ARMMMUIdx_Stage2_S:
         /* HCR.DC means HCR.VM behaves as 1 */
         return (hcr_el2 & (HCR_DC | HCR_VM)) == 0;
-    }
 
-    if (hcr_el2 & HCR_TGE) {
+    case ARMMMUIdx_E10_0:
+    case ARMMMUIdx_E10_1:
+    case ARMMMUIdx_E10_1_PAN:
         /* TGE means that NS EL0/1 act as if SCTLR_EL1.M is zero */
-        if (!is_secure && regime_el(env, mmu_idx) == 1) {
+        if (!is_secure && (hcr_el2 & HCR_TGE)) {
             return true;
         }
-    }
+        break;
 
-    if ((hcr_el2 & HCR_DC) && arm_mmu_idx_is_stage1_of_2(mmu_idx)) {
+    case ARMMMUIdx_Stage1_E0:
+    case ARMMMUIdx_Stage1_E1:
+    case ARMMMUIdx_Stage1_E1_PAN:
         /* HCR.DC means SCTLR_EL1.M behaves as 0 */
-        return true;
+        if (hcr_el2 & HCR_DC) {
+            return true;
+        }
+        break;
+
+    case ARMMMUIdx_E20_0:
+    case ARMMMUIdx_E20_2:
+    case ARMMMUIdx_E20_2_PAN:
+    case ARMMMUIdx_E2:
+    case ARMMMUIdx_E3:
+        break;
+
+    default:
+        g_assert_not_reached();
     }
 
     return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The effect of TGE does not only apply to non-secure state,
now that Secure EL2 exists.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
     case ARMMMUIdx_E10_0:
     case ARMMMUIdx_E10_1:
     case ARMMMUIdx_E10_1_PAN:
-        /* TGE means that NS EL0/1 act as if SCTLR_EL1.M is zero */
-        if (!is_secure && (hcr_el2 & HCR_TGE)) {
+        /* TGE means that EL0/1 act as if SCTLR_EL1.M is zero */
+        if (hcr_el2 & HCR_TGE) {
             return true;
         }
         break;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

For page walking, we may require HCR for a security state
that is not "current".

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    | 20 +++++++++++++-------
 target/arm/helper.c | 11 ++++++++---
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env)
  * Return true if the current security state has AArch64 EL2 or AArch32 Hyp.
  * This corresponds to the pseudocode EL2Enabled()
  */
+static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, bool secure)
+{
+    return arm_feature(env, ARM_FEATURE_EL2)
+           && (!secure || (env->cp15.scr_el3 & SCR_EEL2));
+}
+
 static inline bool arm_is_el2_enabled(CPUARMState *env)
 {
-    if (arm_feature(env, ARM_FEATURE_EL2)) {
-        if (arm_is_secure_below_el3(env)) {
-            return (env->cp15.scr_el3 & SCR_EEL2) != 0;
-        }
-        return true;
-    }
-    return false;
+    return arm_is_el2_enabled_secstate(env, arm_is_secure_below_el3(env));
 }
 
 #else
@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env)
     return false;
 }
 
+static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, bool secure)
+{
+    return false;
+}
+
 static inline bool arm_is_el2_enabled(CPUARMState *env)
 {
     return false;
@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_el2_enabled(CPUARMState *env)
  * "for all purposes other than a direct read or write access of HCR_EL2."
  * Not included here is HCR_RW.
  */
+uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, bool secure);
 uint64_t arm_hcr_el2_eff(CPUARMState *env);
 uint64_t arm_hcrx_el2_eff(CPUARMState *env);
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri,
 }
 
 /*
- * Return the effective value of HCR_EL2.
+ * Return the effective value of HCR_EL2, at the given security state.
  * Bits that are not included here:
  * RW       (read from SCR_EL3.RW as needed)
  */
-uint64_t arm_hcr_el2_eff(CPUARMState *env)
+uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, bool secure)
 {
     uint64_t ret = env->cp15.hcr_el2;
 
-    if (!arm_is_el2_enabled(env)) {
+    if (!arm_is_el2_enabled_secstate(env, secure)) {
         /*
          * "This register has no effect if EL2 is not enabled in the
          * current Security state".  This is ARMv8.4-SecEL2 speak for
@@ -XXX,XX +XXX,XX @@ uint64_t arm_hcr_el2_eff(CPUARMState *env)
     return ret;
 }
 
+uint64_t arm_hcr_el2_eff(CPUARMState *env)
+{
+    return arm_hcr_el2_eff_secstate(env, arm_is_secure_below_el3(env));
+}
+
 /*
  * Corresponds to ARM pseudocode function ELIsInHost().
  */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Rename the argument to is_secure_ptr, and introduce a
local variable is_secure with the value.  We only write
back to the pointer toward the end of the function.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
 
 /* Translate a S1 pagetable walk through S2 if needed.  */
 static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-                               hwaddr addr, bool *is_secure,
+                               hwaddr addr, bool *is_secure_ptr,
                                ARMMMUFaultInfo *fi)
 {
-    ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+    bool is_secure = *is_secure_ptr;
+    ARMMMUIdx s2_mmu_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 
     if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
-        !regime_translation_disabled(env, s2_mmu_idx, *is_secure)) {
+        !regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
         GetPhysAddrResult s2 = {};
         int ret;
 
         ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx,
-                                 *is_secure, false, &s2, fi);
+                                 is_secure, false, &s2, fi);
         if (ret) {
             assert(fi->type != ARMFault_None);
             fi->s2addr = addr;
             fi->stage2 = true;
             fi->s1ptw = true;
-            fi->s1ns = !*is_secure;
+            fi->s1ns = !is_secure;
             return ~0;
         }
         if ((arm_hcr_el2_eff(env) & HCR_PTW) &&
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
             fi->s2addr = addr;
             fi->stage2 = true;
             fi->s1ptw = true;
-            fi->s1ns = !*is_secure;
+            fi->s1ns = !is_secure;
             return ~0;
         }
 
         if (arm_is_secure_below_el3(env)) {
             /* Check if page table walk is to secure or non-secure PA space. */
-            if (*is_secure) {
-                *is_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
+            if (is_secure) {
+                is_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
             } else {
-                *is_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
+                is_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
             }
+            *is_secure_ptr = is_secure;
         } else {
-            assert(!*is_secure);
+            assert(!is_secure);
         }
 
         addr = s2.phys;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This value is unused.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221001162318.153420-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static uint8_t force_cacheattr_nibble_wb(uint8_t attr)
  * s1 and s2 for the HCR_EL2.FWB == 1 case, returning the
  * combined attributes in MAIR_EL1 format.
  */
-static uint8_t combined_attrs_fwb(CPUARMState *env,
-                                  ARMCacheAttrs s1, ARMCacheAttrs s2)
+static uint8_t combined_attrs_fwb(ARMCacheAttrs s1, ARMCacheAttrs s2)
 {
     switch (s2.attrs) {
     case 7:
@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
 
     /* Combine memory type and cacheability attributes */
     if (arm_hcr_el2_eff(env) & HCR_FWB) {
-        ret.attrs = combined_attrs_fwb(env, s1, s2);
+        ret.attrs = combined_attrs_fwb(s1, s2);
     } else {
         ret.attrs = combined_attrs_nofwb(env, s1, s2);
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

These subroutines did not need ENV for anything except
retrieving the effective value of HCR anyway.

We have computed the effective value of HCR in the callers,
and this will be especially important for interpreting HCR
in a non-current security state.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
     return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
 }
 
-static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
+static bool ptw_attrs_are_device(uint64_t hcr, ARMCacheAttrs cacheattrs)
 {
     /*
      * For an S1 page table walk, the stage 1 attributes are always
@@ -XXX,XX +XXX,XX @@ static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
      * when cacheattrs.attrs bit [2] is 0.
      */
     assert(cacheattrs.is_s2_format);
-    if (arm_hcr_el2_eff(env) & HCR_FWB) {
+    if (hcr & HCR_FWB) {
         return (cacheattrs.attrs & 0x4) == 0;
     } else {
         return (cacheattrs.attrs & 0xc) == 0;
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
     if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
         !regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
         GetPhysAddrResult s2 = {};
+        uint64_t hcr;
         int ret;
 
         ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx,
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
             fi->s1ns = !is_secure;
             return ~0;
         }
-        if ((arm_hcr_el2_eff(env) & HCR_PTW) &&
-            ptw_attrs_are_device(env, s2.cacheattrs)) {
+
+        hcr = arm_hcr_el2_eff(env);
+        if ((hcr & HCR_PTW) && ptw_attrs_are_device(hcr, s2.cacheattrs)) {
             /*
              * PTW set and S1 walk touched S2 Device memory:
              * generate Permission fault.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
  * ref: shared/translation/attrs/S2AttrDecode()
  *      .../S2ConvertAttrsHints()
  */
-static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
+static uint8_t convert_stage2_attrs(uint64_t hcr, uint8_t s2attrs)
 {
     uint8_t hiattr = extract32(s2attrs, 2, 2);
     uint8_t loattr = extract32(s2attrs, 0, 2);
     uint8_t hihint = 0, lohint = 0;
 
     if (hiattr != 0) { /* normal memory */
-        if (arm_hcr_el2_eff(env) & HCR_CD) { /* cache disabled */
+        if (hcr & HCR_CD) { /* cache disabled */
             hiattr = loattr = 1; /* non-cacheable */
         } else {
             if (hiattr != 1) { /* Write-through or write-back */
@@ -XXX,XX +XXX,XX @@ static uint8_t combine_cacheattr_nibble(uint8_t s1, uint8_t s2)
  * s1 and s2 for the HCR_EL2.FWB == 0 case, returning the
  * combined attributes in MAIR_EL1 format.
  */
-static uint8_t combined_attrs_nofwb(CPUARMState *env,
+static uint8_t combined_attrs_nofwb(uint64_t hcr,
                                     ARMCacheAttrs s1, ARMCacheAttrs s2)
 {
     uint8_t s1lo, s2lo, s1hi, s2hi, s2_mair_attrs, ret_attrs;
 
-    s2_mair_attrs = convert_stage2_attrs(env, s2.attrs);
+    s2_mair_attrs = convert_stage2_attrs(hcr, s2.attrs);
 
     s1lo = extract32(s1.attrs, 0, 4);
     s2lo = extract32(s2_mair_attrs, 0, 4);
@@ -XXX,XX +XXX,XX @@ static uint8_t combined_attrs_fwb(ARMCacheAttrs s1, ARMCacheAttrs s2)
  * @s1:      Attributes from stage 1 walk
  * @s2:      Attributes from stage 2 walk
  */
-static ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
+static ARMCacheAttrs combine_cacheattrs(uint64_t hcr,
                                         ARMCacheAttrs s1, ARMCacheAttrs s2)
 {
     ARMCacheAttrs ret;
@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
     }
 
     /* Combine memory type and cacheability attributes */
-    if (arm_hcr_el2_eff(env) & HCR_FWB) {
+    if (hcr & HCR_FWB) {
         ret.attrs = combined_attrs_fwb(s1, s2);
     } else {
-        ret.attrs = combined_attrs_nofwb(env, s1, s2);
+        ret.attrs = combined_attrs_nofwb(hcr, s1, s2);
     }
 
     /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
             ARMCacheAttrs cacheattrs1;
             ARMMMUIdx s2_mmu_idx;
             bool is_el0;
+            uint64_t hcr;
 
             ret = get_phys_addr_with_secure(env, address, access_type,
                                             s1_mmu_idx, is_secure, result, fi);
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
             }
 
             /* Combine the S1 and S2 cache attributes. */
-            if (arm_hcr_el2_eff(env) & HCR_DC) {
+            hcr = arm_hcr_el2_eff(env);
+            if (hcr & HCR_DC) {
                 /*
                  * HCR.DC forces the first stage attributes to
                  *  Normal Non-Shareable,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                 }
                 cacheattrs1.shareability = 0;
             }
-            result->cacheattrs = combine_cacheattrs(env, cacheattrs1,
+            result->cacheattrs = combine_cacheattrs(hcr, cacheattrs1,
                                                     result->cacheattrs);
 
             /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Use arm_hcr_el2_eff_secstate instead of arm_hcr_el2_eff, so
that we use is_secure instead of the current security state.
These AT* operations have been broken since arm_hcr_el2_eff
gained a check for "el2 enabled" for Secure EL2.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-18-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
         }
     }
 
-    hcr_el2 = arm_hcr_el2_eff(env);
+    hcr_el2 = arm_hcr_el2_eff_secstate(env, is_secure);
 
     switch (mmu_idx) {
     case ARMMMUIdx_Stage2:
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
             return ~0;
         }
 
-        hcr = arm_hcr_el2_eff(env);
+        hcr = arm_hcr_el2_eff_secstate(env, is_secure);
         if ((hcr & HCR_PTW) && ptw_attrs_are_device(hcr, s2.cacheattrs)) {
             /*
              * PTW set and S1 walk touched S2 Device memory:
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
             }
 
             /* Combine the S1 and S2 cache attributes. */
-            hcr = arm_hcr_el2_eff(env);
+            hcr = arm_hcr_el2_eff_secstate(env, is_secure);
             if (hcr & HCR_DC) {
                 /*
                  * HCR.DC forces the first stage attributes to
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
         result->page_size = TARGET_PAGE_SIZE;
 
         /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
-        hcr = arm_hcr_el2_eff(env);
+        hcr = arm_hcr_el2_eff_secstate(env, is_secure);
         result->cacheattrs.shareability = 0;
         result->cacheattrs.is_s2_format = false;
         if (hcr & HCR_DC) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221001162318.153420-19-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 138 +++++++++++++++++++++++++----------------------
 1 file changed, 74 insertions(+), 64 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(uint64_t hcr,
     return ret;
 }
 
+/*
+ * MMU disabled.  S1 addresses within aa64 translation regimes are
+ * still checked for bounds -- see AArch64.S1DisabledOutput().
+ */
+static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
+                                   MMUAccessType access_type,
+                                   ARMMMUIdx mmu_idx, bool is_secure,
+                                   GetPhysAddrResult *result,
+                                   ARMMMUFaultInfo *fi)
+{
+    uint64_t hcr;
+    uint8_t memattr;
+
+    if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
+        int r_el = regime_el(env, mmu_idx);
+        if (arm_el_is_aa64(env, r_el)) {
+            int pamax = arm_pamax(env_archcpu(env));
+            uint64_t tcr = env->cp15.tcr_el[r_el];
+            int addrtop, tbi;
+
+            tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
+            if (access_type == MMU_INST_FETCH) {
+                tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);
+            }
+            tbi = (tbi >> extract64(address, 55, 1)) & 1;
+            addrtop = (tbi ? 55 : 63);
+
+            if (extract64(address, pamax, addrtop - pamax + 1) != 0) {
+                fi->type = ARMFault_AddressSize;
+                fi->level = 0;
+                fi->stage2 = false;
+                return 1;
+            }
+
+            /*
+             * When TBI is disabled, we've just validated that all of the
+             * bits above PAMax are zero, so logically we only need to
+             * clear the top byte for TBI.  But it's clearer to follow
+             * the pseudocode set of addrdesc.paddress.
+             */
+            address = extract64(address, 0, 52);
+        }
+    }
+
+    result->phys = address;
+    result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+    result->page_size = TARGET_PAGE_SIZE;
+
+    /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
+    hcr = arm_hcr_el2_eff_secstate(env, is_secure);
+    result->cacheattrs.shareability = 0;
+    result->cacheattrs.is_s2_format = false;
+    if (hcr & HCR_DC) {
+        if (hcr & HCR_DCT) {
+            memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
+        } else {
+            memattr = 0xff;  /* Normal, WB, RWA */
+        }
+    } else if (access_type == MMU_INST_FETCH) {
+        if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
+            memattr = 0xee;  /* Normal, WT, RA, NT */
+        } else {
+            memattr = 0x44;  /* Normal, NC, No */
+        }
+        result->cacheattrs.shareability = 2; /* outer sharable */
+    } else {
+        memattr = 0x00;      /* Device, nGnRnE */
+    }
+    result->cacheattrs.attrs = memattr;
+    return 0;
+}
+
 bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
                                bool is_secure, GetPhysAddrResult *result,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
     /* Definitely a real MMU, not an MPU */
 
     if (regime_translation_disabled(env, mmu_idx, is_secure)) {
-        uint64_t hcr;
-        uint8_t memattr;
-
-        /*
-         * MMU disabled.  S1 addresses within aa64 translation regimes are
-         * still checked for bounds -- see AArch64.TranslateAddressS1Off.
-         */
-        if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
-            int r_el = regime_el(env, mmu_idx);
-            if (arm_el_is_aa64(env, r_el)) {
-                int pamax = arm_pamax(env_archcpu(env));
-                uint64_t tcr = env->cp15.tcr_el[r_el];
-                int addrtop, tbi;
-
-                tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
-                if (access_type == MMU_INST_FETCH) {
-                    tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);
-                }
-                tbi = (tbi >> extract64(address, 55, 1)) & 1;
-                addrtop = (tbi ? 55 : 63);
-
-                if (extract64(address, pamax, addrtop - pamax + 1) != 0) {
-                    fi->type = ARMFault_AddressSize;
-                    fi->level = 0;
-                    fi->stage2 = false;
-                    return 1;
-                }
-
-                /*
-                 * When TBI is disabled, we've just validated that all of the
-                 * bits above PAMax are zero, so logically we only need to
-                 * clear the top byte for TBI.  But it's clearer to follow
-                 * the pseudocode set of addrdesc.paddress.
-                 */
-                address = extract64(address, 0, 52);
-            }
-        }
-        result->phys = address;
-        result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-        result->page_size = TARGET_PAGE_SIZE;
-
-        /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
-        hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-        result->cacheattrs.shareability = 0;
-        result->cacheattrs.is_s2_format = false;
-        if (hcr & HCR_DC) {
-            if (hcr & HCR_DCT) {
-                memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
-            } else {
-                memattr = 0xff;  /* Normal, WB, RWA */
-            }
-        } else if (access_type == MMU_INST_FETCH) {
-            if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
-                memattr = 0xee;  /* Normal, WT, RA, NT */
-            } else {
-                memattr = 0x44;  /* Normal, NC, No */
-            }
-            result->cacheattrs.shareability = 2; /* outer sharable */
-        } else {
-            memattr = 0x00;      /* Device, nGnRnE */
-        }
-        result->cacheattrs.attrs = memattr;
-        return 0;
+        return get_phys_addr_disabled(env, address, access_type, mmu_idx,
+                                      is_secure, result, fi);
     }
-
     if (regime_using_lpae_format(env, mmu_idx)) {
         return get_phys_addr_lpae(env, address, access_type, mmu_idx,
                                   is_secure, false, result, fi);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Do not apply memattr or shareability for Stage2 translations.
Make sure to apply HCR_{DC,DCT} only to Regime_EL10, per the
pseudocode in AArch64.S1DisabledOutput.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221001162318.153420-20-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 48 +++++++++++++++++++++++++-----------------------
 1 file changed, 25 insertions(+), 23 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
                                    GetPhysAddrResult *result,
                                    ARMMMUFaultInfo *fi)
 {
-    uint64_t hcr;
-    uint8_t memattr;
+    uint8_t memattr = 0x00;    /* Device nGnRnE */
+    uint8_t shareability = 0;  /* non-sharable */
 
     if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
         int r_el = regime_el(env, mmu_idx);
+
         if (arm_el_is_aa64(env, r_el)) {
             int pamax = arm_pamax(env_archcpu(env));
             uint64_t tcr = env->cp15.tcr_el[r_el];
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
              */
             address = extract64(address, 0, 52);
         }
+
+        /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
+        if (r_el == 1) {
+            uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure);
+            if (hcr & HCR_DC) {
+                if (hcr & HCR_DCT) {
+                    memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
+                } else {
+                    memattr = 0xff;  /* Normal, WB, RWA */
+                }
+            }
+        }
+        if (memattr == 0 && access_type == MMU_INST_FETCH) {
+            if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
+                memattr = 0xee;  /* Normal, WT, RA, NT */
+            } else {
+                memattr = 0x44;  /* Normal, NC, No */
+            }
+            shareability = 2; /* outer sharable */
+        }
+        result->cacheattrs.is_s2_format = false;
     }
 
     result->phys = address;
     result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
     result->page_size = TARGET_PAGE_SIZE;
-
-    /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
-    hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-    result->cacheattrs.shareability = 0;
-    result->cacheattrs.is_s2_format = false;
-    if (hcr & HCR_DC) {
-        if (hcr & HCR_DCT) {
-            memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
-        } else {
-            memattr = 0xff;  /* Normal, WB, RWA */
-        }
-    } else if (access_type == MMU_INST_FETCH) {
-        if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
-            memattr = 0xee;  /* Normal, WT, RA, NT */
-        } else {
-            memattr = 0x44;  /* Normal, NC, No */
-        }
-        result->cacheattrs.shareability = 2; /* outer sharable */
-    } else {
-        memattr = 0x00;      /* Device, nGnRnE */
-    }
+    result->cacheattrs.shareability = shareability;
     result->cacheattrs.attrs = memattr;
     return 0;
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Adjust GetPhysAddrResult to fill in CPUTLBEntryFull,
so that it may be passed directly to tlb_set_page_full.

The change is large, but mostly mechanical.  The major
non-mechanical change is page_size -> lg_page_size.
Most of the time this is obvious, and is related to
TARGET_PAGE_BITS.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221001162318.153420-21-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h  |   5 +-
 target/arm/helper.c     |  12 +--
 target/arm/m_helper.c   |  20 ++---
 target/arm/ptw.c        | 179 ++++++++++++++++++++--------------------
 target/arm/tlb_helper.c |   9 +-
 5 files changed, 111 insertions(+), 114 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef struct ARMCacheAttrs {
 
 /* Fields that are valid upon success. */
 typedef struct GetPhysAddrResult {
-    hwaddr phys;
-    target_ulong page_size;
-    int prot;
-    MemTxAttrs attrs;
+    CPUTLBEntryFull f;
     ARMCacheAttrs cacheattrs;
 } GetPhysAddrResult;
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
         /* Create a 64-bit PAR */
         par64 = (1 << 11); /* LPAE bit always set */
         if (!ret) {
-            par64 |= res.phys & ~0xfffULL;
-            if (!res.attrs.secure) {
+            par64 |= res.f.phys_addr & ~0xfffULL;
+            if (!res.f.attrs.secure) {
                 par64 |= (1 << 9); /* NS */
             }
             par64 |= (uint64_t)res.cacheattrs.attrs << 56; /* ATTR */
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
          */
         if (!ret) {
             /* We do not set any attribute bits in the PAR */
-            if (res.page_size == (1 << 24)
+            if (res.f.lg_page_size == 24
                 && arm_feature(env, ARM_FEATURE_V7)) {
-                par64 = (res.phys & 0xff000000) | (1 << 1);
+                par64 = (res.f.phys_addr & 0xff000000) | (1 << 1);
             } else {
-                par64 = res.phys & 0xfffff000;
+                par64 = res.f.phys_addr & 0xfffff000;
             }
-            if (!res.attrs.secure) {
+            if (!res.f.attrs.secure) {
                 par64 |= (1 << 9); /* NS */
             }
         } else {
diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
         }
         goto pend_fault;
     }
-    address_space_stl_le(arm_addressspace(cs, res.attrs), res.phys, value,
-                         res.attrs, &txres);
+    address_space_stl_le(arm_addressspace(cs, res.f.attrs), res.f.phys_addr,
+                         value, res.f.attrs, &txres);
     if (txres != MEMTX_OK) {
         /* BusFault trying to write the data */
         if (mode == STACK_LAZYFP) {
@@ -XXX,XX +XXX,XX @@ static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
         goto pend_fault;
     }
 
-    value = address_space_ldl(arm_addressspace(cs, res.attrs), res.phys,
-                              res.attrs, &txres);
+    value = address_space_ldl(arm_addressspace(cs, res.f.attrs),
+                              res.f.phys_addr, res.f.attrs, &txres);
     if (txres != MEMTX_OK) {
         /* BusFault trying to read the data */
         qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.UNSTKERR\n");
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool secure,
         qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
         return false;
     }
-    *insn = address_space_lduw_le(arm_addressspace(cs, res.attrs), res.phys,
-                                  res.attrs, &txres);
+    *insn = address_space_lduw_le(arm_addressspace(cs, res.f.attrs),
+                                  res.f.phys_addr, res.f.attrs, &txres);
     if (txres != MEMTX_OK) {
         env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_sg_stack_word(ARMCPU *cpu, ARMMMUIdx mmu_idx,
         }
         return false;
     }
-    value = address_space_ldl(arm_addressspace(cs, res.attrs), res.phys,
-                              res.attrs, &txres);
+    value = address_space_ldl(arm_addressspace(cs, res.f.attrs),
+                              res.f.phys_addr, res.f.attrs, &txres);
     if (txres != MEMTX_OK) {
         /* BusFault trying to read the data */
         qemu_log_mask(CPU_LOG_INT,
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
         } else {
             mrvalid = true;
         }
-        r = res.prot & PAGE_READ;
-        rw = res.prot & PAGE_WRITE;
+        r = res.f.prot & PAGE_READ;
+        rw = res.f.prot & PAGE_WRITE;
     } else {
         r = false;
         rw = false;
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
             assert(!is_secure);
         }
 
-        addr = s2.phys;
+        addr = s2.f.phys_addr;
     }
     return addr;
 }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
         /* 1Mb section.  */
         phys_addr = (desc & 0xfff00000) | (address & 0x000fffff);
         ap = (desc >> 10) & 3;
-        result->page_size = 1024 * 1024;
+        result->f.lg_page_size = 20; /* 1MB */
     } else {
         /* Lookup l2 entry.  */
         if (type == 1) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
         case 1: /* 64k page.  */
             phys_addr = (desc & 0xffff0000) | (address & 0xffff);
             ap = (desc >> (4 + ((address >> 13) & 6))) & 3;
-            result->page_size = 0x10000;
+            result->f.lg_page_size = 16;
             break;
         case 2: /* 4k page.  */
             phys_addr = (desc & 0xfffff000) | (address & 0xfff);
             ap = (desc >> (4 + ((address >> 9) & 6))) & 3;
-            result->page_size = 0x1000;
+            result->f.lg_page_size = 12;
             break;
         case 3: /* 1k page, or ARMv6/XScale "extended small (4k) page" */
             if (type == 1) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
                 if (arm_feature(env, ARM_FEATURE_XSCALE)
                     || arm_feature(env, ARM_FEATURE_V6)) {
                     phys_addr = (desc & 0xfffff000) | (address & 0xfff);
-                    result->page_size = 0x1000;
+                    result->f.lg_page_size = 12;
                 } else {
                     /*
                      * UNPREDICTABLE in ARMv5; we choose to take a
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
                 }
             } else {
                 phys_addr = (desc & 0xfffffc00) | (address & 0x3ff);
-                result->page_size = 0x400;
+                result->f.lg_page_size = 10;
             }
             ap = (desc >> 4) & 3;
             break;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
             g_assert_not_reached();
         }
     }
-    result->prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
-    result->prot |= result->prot ? PAGE_EXEC : 0;
-    if (!(result->prot & (1 << access_type))) {
+    result->f.prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
+    result->f.prot |= result->f.prot ? PAGE_EXEC : 0;
+    if (!(result->f.prot & (1 << access_type))) {
         /* Access permission fault.  */
         fi->type = ARMFault_Permission;
         goto do_fault;
     }
-    result->phys = phys_addr;
+    result->f.phys_addr = phys_addr;
     return false;
 do_fault:
     fi->domain = domain;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
             phys_addr = (desc & 0xff000000) | (address & 0x00ffffff);
             phys_addr |= (uint64_t)extract32(desc, 20, 4) << 32;
             phys_addr |= (uint64_t)extract32(desc, 5, 4) << 36;
-            result->page_size = 0x1000000;
+            result->f.lg_page_size = 24;  /* 16MB */
         } else {
             /* Section.  */
             phys_addr = (desc & 0xfff00000) | (address & 0x000fffff);
-            result->page_size = 0x100000;
+            result->f.lg_page_size = 20;  /* 1MB */
         }
         ap = ((desc >> 10) & 3) | ((desc >> 13) & 4);
         xn = desc & (1 << 4);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
         case 1: /* 64k page.  */
             phys_addr = (desc & 0xffff0000) | (address & 0xffff);
             xn = desc & (1 << 15);
-            result->page_size = 0x10000;
+            result->f.lg_page_size = 16;
             break;
         case 2: case 3: /* 4k page.  */
             phys_addr = (desc & 0xfffff000) | (address & 0xfff);
             xn = desc & 1;
-            result->page_size = 0x1000;
+            result->f.lg_page_size = 12;
             break;
         default:
             /* Never happens, but compiler isn't smart enough to tell.  */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
         }
     }
     if (domain_prot == 3) {
-        result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+        result->f.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
     } else {
         if (pxn && !regime_is_user(env, mmu_idx)) {
             xn = 1;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
                 fi->type = ARMFault_AccessFlag;
                 goto do_fault;
             }
-            result->prot = simple_ap_to_rw_prot(env, mmu_idx, ap >> 1);
+            result->f.prot = simple_ap_to_rw_prot(env, mmu_idx, ap >> 1);
         } else {
-            result->prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
+            result->f.prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
         }
-        if (result->prot && !xn) {
-            result->prot |= PAGE_EXEC;
+        if (result->f.prot && !xn) {
+            result->f.prot |= PAGE_EXEC;
         }
-        if (!(result->prot & (1 << access_type))) {
+        if (!(result->f.prot & (1 << access_type))) {
             /* Access permission fault.  */
             fi->type = ARMFault_Permission;
             goto do_fault;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
          * the CPU doesn't support TZ or this is a non-secure translation
          * regime, because the attribute will already be non-secure.
          */
-        result->attrs.secure = false;
+        result->f.attrs.secure = false;
     }
-    result->phys = phys_addr;
+    result->f.phys_addr = phys_addr;
     return false;
 do_fault:
     fi->domain = domain;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
     if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
         ns = mmu_idx == ARMMMUIdx_Stage2;
         xn = extract32(attrs, 11, 2);
-        result->prot = get_S2prot(env, ap, xn, s1_is_el0);
+        result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
     } else {
         ns = extract32(attrs, 3, 1);
         xn = extract32(attrs, 12, 1);
         pxn = extract32(attrs, 11, 1);
-        result->prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
+        result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
     }
 
     fault_type = ARMFault_Permission;
-    if (!(result->prot & (1 << access_type))) {
+    if (!(result->f.prot & (1 << access_type))) {
         goto do_fault;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          * the CPU doesn't support TZ or this is a non-secure translation
          * regime, because the attribute will already be non-secure.
          */
-        result->attrs.secure = false;
+        result->f.attrs.secure = false;
     }
     /* When in aarch64 mode, and BTI is enabled, remember GP in the IOTLB.  */
     if (aarch64 && guarded && cpu_isar_feature(aa64_bti, cpu)) {
-        arm_tlb_bti_gp(&result->attrs) = true;
+        arm_tlb_bti_gp(&result->f.attrs) = true;
     }
 
     if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
         result->cacheattrs.shareability = extract32(attrs, 6, 2);
     }
 
-    result->phys = descaddr;
-    result->page_size = page_size;
+    result->f.phys_addr = descaddr;
+    result->f.lg_page_size = ctz64(page_size);
     return false;
 
 do_fault:
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
 
     if (regime_translation_disabled(env, mmu_idx, is_secure)) {
         /* MPU disabled.  */
-        result->phys = address;
-        result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+        result->f.phys_addr = address;
+        result->f.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
         return false;
     }
 
-    result->phys = address;
+    result->f.phys_addr = address;
     for (n = 7; n >= 0; n--) {
         base = env->cp15.c6_region[n];
         if ((base & 1) == 0) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
             fi->level = 1;
             return true;
         }
-        result->prot = PAGE_READ | PAGE_WRITE;
+        result->f.prot = PAGE_READ | PAGE_WRITE;
         break;
     case 2:
-        result->prot = PAGE_READ;
+        result->f.prot = PAGE_READ;
         if (!is_user) {
-            result->prot |= PAGE_WRITE;
+            result->f.prot |= PAGE_WRITE;
         }
         break;
     case 3:
-        result->prot = PAGE_READ | PAGE_WRITE;
+        result->f.prot = PAGE_READ | PAGE_WRITE;
         break;
     case 5:
         if (is_user) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
             fi->level = 1;
             return true;
         }
-        result->prot = PAGE_READ;
+        result->f.prot = PAGE_READ;
         break;
     case 6:
-        result->prot = PAGE_READ;
+        result->f.prot = PAGE_READ;
         break;
     default:
         /* Bad permission.  */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
         fi->level = 1;
         return true;
     }
-    result->prot |= PAGE_EXEC;
+    result->f.prot |= PAGE_EXEC;
     return false;
 }
 
 static void get_phys_addr_pmsav7_default(CPUARMState *env, ARMMMUIdx mmu_idx,
-                                         int32_t address, int *prot)
+                                         int32_t address, uint8_t *prot)
 {
     if (!arm_feature(env, ARM_FEATURE_M)) {
         *prot = PAGE_READ | PAGE_WRITE;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
     int n;
     bool is_user = regime_is_user(env, mmu_idx);
 
-    result->phys = address;
-    result->page_size = TARGET_PAGE_SIZE;
-    result->prot = 0;
+    result->f.phys_addr = address;
+    result->f.lg_page_size = TARGET_PAGE_BITS;
+    result->f.prot = 0;
 
     if (regime_translation_disabled(env, mmu_idx, secure) ||
         m_is_ppb_region(env, address)) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
          * which always does a direct read using address_space_ldl(), rather
          * than going via this function, so we don't need to check that here.
          */
-        get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->prot);
+        get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->f.prot);
     } else { /* MPU enabled */
         for (n = (int)cpu->pmsav7_dregion - 1; n >= 0; n--) {
             /* region search */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                 if (ranges_overlap(base, rmask,
                                    address & TARGET_PAGE_MASK,
                                    TARGET_PAGE_SIZE)) {
-                    result->page_size = 1;
+                    result->f.lg_page_size = 0;
                 }
                 continue;
             }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                 continue;
             }
             if (rsize < TARGET_PAGE_BITS) {
-                result->page_size = 1 << rsize;
+                result->f.lg_page_size = rsize;
             }
             break;
         }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                 fi->type = ARMFault_Background;
                 return true;
             }
-            get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->prot);
+            get_phys_addr_pmsav7_default(env, mmu_idx, address,
+                                         &result->f.prot);
         } else { /* a MPU hit! */
             uint32_t ap = extract32(env->pmsav7.dracr[n], 8, 3);
             uint32_t xn = extract32(env->pmsav7.dracr[n], 12, 1);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                 case 5:
                     break; /* no access */
                 case 3:
-                    result->prot |= PAGE_WRITE;
+                    result->f.prot |= PAGE_WRITE;
                     /* fall through */
                 case 2:
                 case 6:
-                    result->prot |= PAGE_READ | PAGE_EXEC;
+                    result->f.prot |= PAGE_READ | PAGE_EXEC;
                     break;
                 case 7:
                     /* for v7M, same as 6; for R profile a reserved value */
                     if (arm_feature(env, ARM_FEATURE_M)) {
-                        result->prot |= PAGE_READ | PAGE_EXEC;
+                        result->f.prot |= PAGE_READ | PAGE_EXEC;
                         break;
                     }
                     /* fall through */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
                 case 1:
                 case 2:
                 case 3:
-                    result->prot |= PAGE_WRITE;
+                    result->f.prot |= PAGE_WRITE;
                     /* fall through */
                 case 5:
                 case 6:
-                    result->prot |= PAGE_READ | PAGE_EXEC;
+                    result->f.prot |= PAGE_READ | PAGE_EXEC;
                     break;
                 case 7:
                     /* for v7M, same as 6; for R profile a reserved value */
                     if (arm_feature(env, ARM_FEATURE_M)) {
-                        result->prot |= PAGE_READ | PAGE_EXEC;
+                        result->f.prot |= PAGE_READ | PAGE_EXEC;
                         break;
                     }
                     /* fall through */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
 
             /* execute never */
             if (xn) {
-                result->prot &= ~PAGE_EXEC;
+                result->f.prot &= ~PAGE_EXEC;
             }
         }
     }
 
     fi->type = ARMFault_Permission;
     fi->level = 1;
-    return !(result->prot & (1 << access_type));
+    return !(result->f.prot & (1 << access_type));
 }
 
 bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
     uint32_t addr_page_base = address & TARGET_PAGE_MASK;
     uint32_t addr_page_limit = addr_page_base + (TARGET_PAGE_SIZE - 1);
 
-    result->page_size = TARGET_PAGE_SIZE;
-    result->phys = address;
-    result->prot = 0;
+    result->f.lg_page_size = TARGET_PAGE_BITS;
+    result->f.phys_addr = address;
+    result->f.prot = 0;
     if (mregion) {
         *mregion = -1;
     }
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
                     ranges_overlap(base, limit - base + 1,
                                    addr_page_base,
                                    TARGET_PAGE_SIZE)) {
-                    result->page_size = 1;
+                    result->f.lg_page_size = 0;
                 }
                 continue;
             }
 
             if (base > addr_page_base || limit < addr_page_limit) {
-                result->page_size = 1;
+                result->f.lg_page_size = 0;
             }
 
             if (matchregion != -1) {
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
 
     if (matchregion == -1) {
         /* hit using the background region */
-        get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->prot);
+        get_phys_addr_pmsav7_default(env, mmu_idx, address, &result->f.prot);
     } else {
         uint32_t ap = extract32(env->pmsav8.rbar[secure][matchregion], 1, 2);
         uint32_t xn = extract32(env->pmsav8.rbar[secure][matchregion], 0, 1);
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
             xn = 1;
         }
 
-        result->prot = simple_ap_to_rw_prot(env, mmu_idx, ap);
-        if (result->prot && !xn && !(pxn && !is_user)) {
-            result->prot |= PAGE_EXEC;
+        result->f.prot = simple_ap_to_rw_prot(env, mmu_idx, ap);
+        if (result->f.prot && !xn && !(pxn && !is_user)) {
+            result->f.prot |= PAGE_EXEC;
         }
         /*
          * We don't need to look the attribute up in the MAIR0/MAIR1
@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
 
     fi->type = ARMFault_Permission;
     fi->level = 1;
-    return !(result->prot & (1 << access_type));
+    return !(result->f.prot & (1 << access_type));
 }
 
 static bool v8m_is_sau_exempt(CPUARMState *env,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
                 } else {
                     fi->type = ARMFault_QEMU_SFault;
                 }
-                result->page_size = sattrs.subpage ? 1 : TARGET_PAGE_SIZE;
-                result->phys = address;
-                result->prot = 0;
+                result->f.lg_page_size = sattrs.subpage ? 0 : TARGET_PAGE_BITS;
+                result->f.phys_addr = address;
+                result->f.prot = 0;
                 return true;
             }
         } else {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
              * might downgrade a secure access to nonsecure.
              */
             if (sattrs.ns) {
-                result->attrs.secure = false;
+                result->f.attrs.secure = false;
             } else if (!secure) {
                 /*
                  * NS access to S memory must fault.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
                  * for M_FAKE_FSR_SFAULT in arm_v7m_cpu_do_interrupt().
                  */
                 fi->type = ARMFault_QEMU_SFault;
-                result->page_size = sattrs.subpage ? 1 : TARGET_PAGE_SIZE;
-                result->phys = address;
-                result->prot = 0;
+                result->f.lg_page_size = sattrs.subpage ? 0 : TARGET_PAGE_BITS;
+                result->f.phys_addr = address;
+                result->f.prot = 0;
                 return true;
             }
         }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
     ret = pmsav8_mpu_lookup(env, address, access_type, mmu_idx, secure,
                             result, fi, NULL);
     if (sattrs.subpage) {
-        result->page_size = 1;
+        result->f.lg_page_size = 0;
     }
     return ret;
 }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
         result->cacheattrs.is_s2_format = false;
     }
 
-    result->phys = address;
-    result->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-    result->page_size = TARGET_PAGE_SIZE;
+    result->f.phys_addr = address;
+    result->f.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+    result->f.lg_page_size = TARGET_PAGE_BITS;
     result->cacheattrs.shareability = shareability;
     result->cacheattrs.attrs = memattr;
     return 0;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                 return ret;
             }
 
-            ipa = result->phys;
-            ipa_secure = result->attrs.secure;
+            ipa = result->f.phys_addr;
+            ipa_secure = result->f.attrs.secure;
             if (is_secure) {
                 /* Select TCR based on the NS bit from the S1 walk. */
                 s2walk_secure = !(ipa_secure
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
              * Save the stage1 results so that we may merge
              * prot and cacheattrs later.
              */
-            s1_prot = result->prot;
+            s1_prot = result->f.prot;
             cacheattrs1 = result->cacheattrs;
             memset(result, 0, sizeof(*result));
 
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
             fi->s2addr = ipa;
 
             /* Combine the S1 and S2 perms.  */
-            result->prot &= s1_prot;
+            result->f.prot &= s1_prot;
 
             /* If S2 fails, return early.  */
             if (ret) {
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
              * Check if IPA translates to secure or non-secure PA space.
              * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
              */
-            result->attrs.secure =
+            result->f.attrs.secure =
                 (is_secure
                  && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
                  && (ipa_secure
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
      * cannot upgrade an non-secure translation regime's attributes
      * to secure.
      */
-    result->attrs.secure = is_secure;
-    result->attrs.user = regime_is_user(env, mmu_idx);
+    result->f.attrs.secure = is_secure;
+    result->f.attrs.user = regime_is_user(env, mmu_idx);
 
     /*
      * Fast Context Switch Extension. This doesn't exist at all in v8.
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
 
     if (arm_feature(env, ARM_FEATURE_PMSA)) {
         bool ret;
-        result->page_size = TARGET_PAGE_SIZE;
+        result->f.lg_page_size = TARGET_PAGE_BITS;
 
         if (arm_feature(env, ARM_FEATURE_V8)) {
             /* PMSAv8 */
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                       (access_type == MMU_DATA_STORE ? "writing" : "execute"),
                       (uint32_t)address, mmu_idx,
                       ret ? "Miss" : "Hit",
-                      result->prot & PAGE_READ ? 'r' : '-',
-                      result->prot & PAGE_WRITE ? 'w' : '-',
-                      result->prot & PAGE_EXEC ? 'x' : '-');
+                      result->f.prot & PAGE_READ ? 'r' : '-',
+                      result->f.prot & PAGE_WRITE ? 'w' : '-',
+                      result->f.prot & PAGE_EXEC ? 'x' : '-');
 
         return ret;
     }
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
     bool ret;
 
     ret = get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &res, &fi);
-    *attrs = res.attrs;
+    *attrs = res.f.attrs;
 
     if (ret) {
         return -1;
     }
-    return res.phys;
+    return res.f.phys_addr;
 }
diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
          * target page size are handled specially, so for those we
          * pass in the exact addresses.
          */
-        if (res.page_size >= TARGET_PAGE_SIZE) {
-            res.phys &= TARGET_PAGE_MASK;
+        if (res.f.lg_page_size >= TARGET_PAGE_BITS) {
+            res.f.phys_addr &= TARGET_PAGE_MASK;
             address &= TARGET_PAGE_MASK;
         }
         /* Notice and record tagged memory. */
         if (cpu_isar_feature(aa64_mte, cpu) && res.cacheattrs.attrs == 0xf0) {
-            arm_tlb_mte_tagged(&res.attrs) = true;
+            arm_tlb_mte_tagged(&res.f.attrs) = true;
         }
 
-        tlb_set_page_with_attrs(cs, address, res.phys, res.attrs,
-                                res.prot, mmu_idx, res.page_size);
+        tlb_set_page_full(cs, mmu_idx, address, &res.f);
         return true;
     } else if (probe) {
         return false;
-- 
2.25.1

From: Jerome Forissier <jerome.forissier@linaro.org>

According to the Linux kernel booting.rst [1], CPTR_EL3.ESM and
SCR_EL3.EnTP2 must be initialized to 1 when EL3 is present and FEAT_SME
is advertised. This has to be taken care of when QEMU boots directly
into the kernel (i.e., "-M virt,secure=on -cpu max -kernel Image").

Cc: qemu-stable@nongnu.org
Fixes: 78cb9776662a ("target/arm: Enable SME for -cpu max")
Link: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/arm64/booting.rst?h=v6.0#n321
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Message-id: 20221003145641.1921467-1-jerome.forissier@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
                     if (cpu_isar_feature(aa64_sve, cpu)) {
                         env->cp15.cptr_el[3] |= R_CPTR_EL3_EZ_MASK;
                     }
+                    if (cpu_isar_feature(aa64_sme, cpu)) {
+                        env->cp15.cptr_el[3] |= R_CPTR_EL3_ESM_MASK;
+                        env->cp15.scr_el3 |= SCR_ENTP2;
+                    }
                     /* AArch64 kernels never boot in secure mode */
                     assert(!info->secure_boot);
                     /* This hook is only supported for AArch32 currently:
-- 
2.25.1

Arm CPUs support some subset of the granule (page) sizes 4K, 16K and
64K.  The guest selects the one it wants using bits in the TCR_ELx
registers.  If it tries to program these registers with a value that
is either reserved or which requests a size that the CPU does not
implement, the architecture requires that the CPU behaves as if the
field was programmed to some size that has been implemented.
Currently we don't implement this, and instead let the guest use any
granule size, even if the CPU ID register fields say it isn't
present.

Make aa64_va_parameters() check against the supported granule size
and force use of a different one if it is not implemented.

(A subsequent commit will make ARMVAParameters use the new enum
rather than the current pair of using16k/using64k bools.)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221003162315.2833797-2-peter.maydell@linaro.org
---
 target/arm/cpu.h       |  33 +++++++++++++
 target/arm/internals.h |   9 ++++
 target/arm/helper.c    | 102 +++++++++++++++++++++++++++++++++++++----
 3 files changed, 136 insertions(+), 8 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_tgran16_2_lpa2(const ARMISARegisters *id)
     return t >= 3 || (t == 0 && isar_feature_aa64_tgran16_lpa2(id));
 }
 
+static inline bool isar_feature_aa64_tgran4(const ARMISARegisters *id)
+{
+    return FIELD_SEX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4) >= 0;
+}
+
+static inline bool isar_feature_aa64_tgran16(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN16) >= 1;
+}
+
+static inline bool isar_feature_aa64_tgran64(const ARMISARegisters *id)
+{
+    return FIELD_SEX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN64) >= 0;
+}
+
+static inline bool isar_feature_aa64_tgran4_2(const ARMISARegisters *id)
+{
+    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4_2);
+    return t >= 2 || (t == 0 && isar_feature_aa64_tgran4(id));
+}
+
+static inline bool isar_feature_aa64_tgran16_2(const ARMISARegisters *id)
+{
+    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN16_2);
+    return t >= 2 || (t == 0 && isar_feature_aa64_tgran16(id));
+}
+
+static inline bool isar_feature_aa64_tgran64_2(const ARMISARegisters *id)
+{
+    unsigned t = FIELD_EX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN64_2);
+    return t >= 2 || (t == 0 && isar_feature_aa64_tgran64(id));
+}
+
 static inline bool isar_feature_aa64_ccidx(const ARMISARegisters *id)
 {
     return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, CCIDX) != 0;
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t aarch64_pstate_valid_mask(const ARMISARegisters *id)
     return valid;
 }
 
+/* Granule size (i.e. page size) */
+typedef enum ARMGranuleSize {
+    /* Same order as TG0 encoding */
+    Gran4K,
+    Gran64K,
+    Gran16K,
+    GranInvalid,
+} ARMGranuleSize;
+
 /*
  * Parameters of a given virtual address, as extracted from the
  * translation control register (TCR) for a given regime.
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static int aa64_va_parameter_tcma(uint64_t tcr, ARMMMUIdx mmu_idx)
     }
 }
 
+static ARMGranuleSize tg0_to_gran_size(int tg)
+{
+    switch (tg) {
+    case 0:
+        return Gran4K;
+    case 1:
+        return Gran64K;
+    case 2:
+        return Gran16K;
+    default:
+        return GranInvalid;
+    }
+}
+
+static ARMGranuleSize tg1_to_gran_size(int tg)
+{
+    switch (tg) {
+    case 1:
+        return Gran16K;
+    case 2:
+        return Gran4K;
+    case 3:
+        return Gran64K;
+    default:
+        return GranInvalid;
+    }
+}
+
+static inline bool have4k(ARMCPU *cpu, bool stage2)
+{
+    return stage2 ? cpu_isar_feature(aa64_tgran4_2, cpu)
+        : cpu_isar_feature(aa64_tgran4, cpu);
+}
+
+static inline bool have16k(ARMCPU *cpu, bool stage2)
+{
+    return stage2 ? cpu_isar_feature(aa64_tgran16_2, cpu)
+        : cpu_isar_feature(aa64_tgran16, cpu);
+}
+
+static inline bool have64k(ARMCPU *cpu, bool stage2)
+{
+    return stage2 ? cpu_isar_feature(aa64_tgran64_2, cpu)
+        : cpu_isar_feature(aa64_tgran64, cpu);
+}
+
+static ARMGranuleSize sanitize_gran_size(ARMCPU *cpu, ARMGranuleSize gran,
+                                         bool stage2)
+{
+    switch (gran) {
+    case Gran4K:
+        if (have4k(cpu, stage2)) {
+            return gran;
+        }
+        break;
+    case Gran16K:
+        if (have16k(cpu, stage2)) {
+            return gran;
+        }
+        break;
+    case Gran64K:
+        if (have64k(cpu, stage2)) {
+            return gran;
+        }
+        break;
+    case GranInvalid:
+        break;
+    }
+    /*
+     * If the guest selects a granule size that isn't implemented,
+     * the architecture requires that we behave as if it selected one
+     * that is (with an IMPDEF choice of which one to pick). We choose
+     * to implement the smallest supported granule size.
+     */
+    if (have4k(cpu, stage2)) {
+        return Gran4K;
+    }
+    if (have16k(cpu, stage2)) {
+        return Gran16K;
+    }
+    assert(have64k(cpu, stage2));
+    return Gran64K;
+}
+
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
                                    ARMMMUIdx mmu_idx, bool data)
 {
     uint64_t tcr = regime_tcr(env, mmu_idx);
     bool epd, hpd, using16k, using64k, tsz_oob, ds;
     int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
+    ARMGranuleSize gran;
     ARMCPU *cpu = env_archcpu(env);
+    bool stage2 = mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S;
 
     if (!regime_has_2_ranges(mmu_idx)) {
         select = 0;
         tsz = extract32(tcr, 0, 6);
-        using64k = extract32(tcr, 14, 1);
-        using16k = extract32(tcr, 15, 1);
-        if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+        gran = tg0_to_gran_size(extract32(tcr, 14, 2));
+        if (stage2) {
             /* VTCR_EL2 */
             hpd = false;
         } else {
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         select = extract64(va, 55, 1);
         if (!select) {
             tsz = extract32(tcr, 0, 6);
+            gran = tg0_to_gran_size(extract32(tcr, 14, 2));
             epd = extract32(tcr, 7, 1);
             sh = extract32(tcr, 12, 2);
-            using64k = extract32(tcr, 14, 1);
-            using16k = extract32(tcr, 15, 1);
             hpd = extract64(tcr, 41, 1);
         } else {
-            int tg = extract32(tcr, 30, 2);
-            using16k = tg == 1;
-            using64k = tg == 3;
             tsz = extract32(tcr, 16, 6);
+            gran = tg1_to_gran_size(extract32(tcr, 30, 2));
             epd = extract32(tcr, 23, 1);
             sh = extract32(tcr, 28, 2);
             hpd = extract64(tcr, 42, 1);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         ds = extract64(tcr, 59, 1);
     }
 
+    gran = sanitize_gran_size(cpu, gran, stage2);
+    using64k = gran == Gran64K;
+    using16k = gran == Gran16K;
+
     if (cpu_isar_feature(aa64_st, cpu)) {
         max_tsz = 48 - using64k;
     } else {
-- 
2.25.1

Now we have an enum for the granule size, use it in the
ARMVAParameters struct instead of the using16k/using64k bools.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221003162315.2833797-3-peter.maydell@linaro.org
---
 target/arm/internals.h | 23 +++++++++++++++++++++--
 target/arm/helper.c    | 39 ++++++++++++++++++++++++++++-----------
 target/arm/ptw.c       |  8 +-------
 3 files changed, 50 insertions(+), 20 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef enum ARMGranuleSize {
     GranInvalid,
 } ARMGranuleSize;
 
+/**
+ * arm_granule_bits: Return address size of the granule in bits
+ *
+ * Return the address size of the granule in bits. This corresponds
+ * to the pseudocode TGxGranuleBits().
+ */
+static inline int arm_granule_bits(ARMGranuleSize gran)
+{
+    switch (gran) {
+    case Gran64K:
+        return 16;
+    case Gran16K:
+        return 14;
+    case Gran4K:
+        return 12;
+    default:
+        g_assert_not_reached();
+    }
+}
+
 /*
  * Parameters of a given virtual address, as extracted from the
  * translation control register (TCR) for a given regime.
@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
     bool tbi        : 1;
     bool epd        : 1;
     bool hpd        : 1;
-    bool using16k   : 1;
-    bool using64k   : 1;
     bool tsz_oob    : 1;  /* tsz has been clamped to legal range */
     bool ds         : 1;
+    ARMGranuleSize gran : 2;
 } ARMVAParameters;
 
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
     uint64_t length;
 } TLBIRange;
 
+static ARMGranuleSize tlbi_range_tg_to_gran_size(int tg)
+{
+    /*
+     * Note that the TLBI range TG field encoding differs from both
+     * TG0 and TG1 encodings.
+     */
+    switch (tg) {
+    case 1:
+        return Gran4K;
+    case 2:
+        return Gran16K;
+    case 3:
+        return Gran64K;
+    default:
+        return GranInvalid;
+    }
+}
+
 static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
                                      uint64_t value)
 {
@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
     uint64_t select = sextract64(value, 36, 1);
     ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true);
     TLBIRange ret = { };
+    ARMGranuleSize gran;
 
     page_size_granule = extract64(value, 46, 2);
+    gran = tlbi_range_tg_to_gran_size(page_size_granule);
 
     /* The granule encoded in value must match the granule in use. */
-    if (page_size_granule != (param.using64k ? 3 : param.using16k ? 2 : 1)) {
+    if (gran != param.gran) {
         qemu_log_mask(LOG_GUEST_ERROR, "Invalid tlbi page size granule %d\n",
                       page_size_granule);
         return ret;
     }
 
-    page_shift = (page_size_granule - 1) * 2 + 12;
+    page_shift = arm_granule_bits(gran);
     num = extract64(value, 39, 5);
     scale = extract64(value, 44, 2);
     exponent = (5 * scale) + 1;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
                                    ARMMMUIdx mmu_idx, bool data)
 {
     uint64_t tcr = regime_tcr(env, mmu_idx);
-    bool epd, hpd, using16k, using64k, tsz_oob, ds;
+    bool epd, hpd, tsz_oob, ds;
     int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
     ARMGranuleSize gran;
     ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
     }
 
     gran = sanitize_gran_size(cpu, gran, stage2);
-    using64k = gran == Gran64K;
-    using16k = gran == Gran16K;
 
     if (cpu_isar_feature(aa64_st, cpu)) {
-        max_tsz = 48 - using64k;
+        max_tsz = 48 - (gran == Gran64K);
     } else {
         max_tsz = 39;
     }
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
      * adjust the effective value of DS, as documented.
      */
     min_tsz = 16;
-    if (using64k) {
+    if (gran == Gran64K) {
         if (cpu_isar_feature(aa64_lva, cpu)) {
             min_tsz = 12;
         }
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         switch (mmu_idx) {
         case ARMMMUIdx_Stage2:
         case ARMMMUIdx_Stage2_S:
-            if (using16k) {
+            if (gran == Gran16K) {
                 ds = cpu_isar_feature(aa64_tgran16_2_lpa2, cpu);
             } else {
                 ds = cpu_isar_feature(aa64_tgran4_2_lpa2, cpu);
             }
             break;
         default:
-            if (using16k) {
+            if (gran == Gran16K) {
                 ds = cpu_isar_feature(aa64_tgran16_lpa2, cpu);
             } else {
                 ds = cpu_isar_feature(aa64_tgran4_lpa2, cpu);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         .tbi = tbi,
         .epd = epd,
         .hpd = hpd,
-        .using16k = using16k,
-        .using64k = using64k,
         .tsz_oob = tsz_oob,
         .ds = ds,
+        .gran = gran,
     };
 }
 
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
         }
     }
 
-    if (param.using64k) {
-        stride = 13;
-    } else if (param.using16k) {
-        stride = 11;
-    } else {
-        stride = 9;
-    }
+    stride = arm_granule_bits(param.gran) - 3;
 
     /*
      * Note that QEMU ignores shareability and cacheability attributes,
-- 
2.25.1

FEAT_GTG is a change tho the ID register ID_AA64MMFR0_EL1 so that it
can report a different set of supported granule (page) sizes for
stage 1 and stage 2 translation tables.  As of commit c20281b2a5048
we already report the granule sizes that way for '-cpu max', and now
we also correctly make attempts to use unimplemented granule sizes
fail, so we can report the support of the feature in the
documentation.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221003162315.2833797-4-peter.maydell@linaro.org
---
 docs/system/arm/emulation.rst | 1 +
 1 file changed, 1 insertion(+)